Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ncat's ca-bundle.crt file

From: David Fifield <david () bamsoftware com>
Date: Fri, 9 Jan 2015 21:03:21 -0800
On Fri, Jan 09, 2015 at 10:46:20PM -0600, Daniel Miller wrote:

I did some checking, and it looks like the situation is not so hopeless. As
David pointed out, we already trust OpenSSL's trust store. This is empty in the
package coming directly from OpenSSL, since they don't maintain a list of
trusted CA's, but most Linux distros (and hopefully other *nix-style systems)
will keep it up-to-date with some form of package management.


One tidbit I know is that Fedora shares certificates across OpenSSL,
NSS, and other crypto libraries.
https://fedoraproject.org/wiki/Features/SharedSystemCertificates
https://fedoraproject.org/wiki/FedoraCryptoConsolidation (now marked out of date)


In addition to these Windows possibilities, it would be good to find out how
well things are handled in some other OSs: OS X in particular, I don't know if
they populate the OpenSSL cert store.


As I recall, the OpenSSL trust store is empty on OS X, or at least was
when I looked at it a few years ago. The system trusted certs are
instead stored in Keychain.

David Fifield
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: