Nmap Development mailing list archives
Re: Ncat's ca-bundle.crt file
From: David Fifield <david () bamsoftware com>
Date: Fri, 9 Jan 2015 21:03:21 -0800
On Fri, Jan 09, 2015 at 10:46:20PM -0600, Daniel Miller wrote:
I did some checking, and it looks like the situation is not so hopeless. As David pointed out, we already trust OpenSSL's trust store. This is empty in the package coming directly from OpenSSL, since they don't maintain a list of trusted CA's, but most Linux distros (and hopefully other *nix-style systems) will keep it up-to-date with some form of package management.
One tidbit I know is that Fedora shares certificates across OpenSSL, NSS, and other crypto libraries. https://fedoraproject.org/wiki/Features/SharedSystemCertificates https://fedoraproject.org/wiki/FedoraCryptoConsolidation (now marked out of date)
In addition to these Windows possibilities, it would be good to find out how well things are handled in some other OSs: OS X in particular, I don't know if they populate the OpenSSL cert store.
As I recall, the OpenSSL trust store is empty on OS X, or at least was when I looked at it a few years ago. The system trusted certs are instead stored in Keychain. David Fifield _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Ncat's ca-bundle.crt file Daniel Miller (Jan 09)
- Re: Ncat's ca-bundle.crt file David Fifield (Jan 09)
- Re: Ncat's ca-bundle.crt file Daniel Miller (Jan 09)