Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [Ncat] ca-bundle.crt contains expired certs
From: David Fifield <david () bamsoftware com>
Date: Fri, 27 May 2011 23:08:36 -0700

On Thu, May 19, 2011 at 06:49:10PM -0500, Daniel Miller wrote:

The ca-bundle.crt file that Ncat uses for --ssl-verify is out of date. I
started by looking to see if any Comodo certificates were in it (remember
that fiasco?), but decided to do a verification of the others, as best as I
could. I'm sure this is incomplete, since I didn't check for revoked
certificates (I don't think). Here's my process:

# Split the file into separate certificates, each new file named xxNN where
NN is sequential.
csplit ca-bundle.crt '/^$/' '{*}'
# Loop over the certs and verify
for i in xx*; do openssl verify $i; done >verification.txt
# Look for expired certs
grep -B1 expired verification.txt | grep ^/

By my count, 29 of the 106 certificates are expired. The problem of whom to
trust in certificate verification is complex, but in the case of Ncat, there
are likely fewer security holes than in the average Web browser, so we can
be a little more lenient. It comes down to the use cases: why do Ncat users
use the --ssl-verify feature? I can't really answer that, since I don't use
it myself. But I think we would best serve the Ncat users by at least
updating the file from the Microsoft source that's mentioned in

Thanks for checking this. Having to maintain a CA list is a crummy job
to have. I read the EFF's SSL Observatory page at
http://www.eff.org/observatory. Their Defcon presentation slides say
that Windows 7 has only 19 trusted root certs, though the list can be
silently and dynamically expanded. I checked on a new Windows 7 and
found only 11:

subject=/C=ZA/ST=Western Cape/L=Durbanville/O=Thawte/OU=Thawte Certification/CN=Thawte Timestamping CA
subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium 
Server CA/emailAddress=premium-server () thawte com
subject=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign Time Stamping Service Root/OU=NO LIABILITY ACCEPTED, 
(c)97 VeriSign, Inc.
subject=/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
subject=/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
subject=/C=US/O=MSFT/CN=Microsoft Authenticode(tm) Root Authority
subject=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
subject=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
subject=/O=Microsoft Trust Network/OU=Microsoft Corporation/OU=Microsoft Time Stamping Service Root/OU=Copyright (c) 
1997 Microsoft Corp.
subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

It would probably be better to switch to this much shorter list?

David Fifield
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]