Zgrab2 cannot automatically load the root certificate of the operating system #420
Comments
jiaocoll
changed the title
Personally I prefer that it doesn't try to automatically do anything not explicitly asked of it (like search for/guess where the CA bundle is on my system) If you're saying that even when explicitly specified, it doesn't load the bundle, that may be an issue you can create in the zcrypto project Maybe there's a reason it was removed, but seems it would be harmless to have it reference a bundle, but only if explicitly specified. There may be complications to changing that though, I'm not familiar with the code tl; dr; this is probably better as an issue in the zcrypto repo |
|
Can this be closed? I don't see any immediate interest from the maintainers to change the current behavior as I believe it was a very deliberate choice on their part (Which I happen to agree with, by the way- I'm not sure that there is any portable, standard, straightforward way to determine where the system CA bundle is stored on a given system as I believe distribution maintains are free to choose this location; determining this automatically would be a clunky solution and would probably require continuous code changes) |
Using the tls function of zgrab2, it was found that almost all tls requests were unable to verify the certificate chain, with surprisingly consistent error codes of x509: failed to load system roots and no roots provided.
What I expect is that zgrab2 can automatically load the root certificate of the operating system itself when I do not specify the root certificate parameters. But it didn't load. Later, by looking at the code, it was discovered that zcrypto seemed to have removed the part of the code that loaded the root certificate based on the system?
I think the parameters should be optional, not mandatory. When I don't specify a certificate, zgrab2 should automatically load the root certificate of the operating system.
The text was updated successfully, but these errors were encountered: