From 4dedf447e5fb50cb30729c41ad080fd5fda226e2 Mon Sep 17 00:00:00 2001 From: fyodor Date: Mon, 24 Nov 2014 19:36:08 +0000 Subject: [PATCH] a couple more tasks --- todo/nmap.txt | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/todo/nmap.txt b/todo/nmap.txt index 9f9fdddf6..cf5eab62c 100644 --- a/todo/nmap.txt +++ b/todo/nmap.txt @@ -7,10 +7,6 @@ o Do the very latest Nmap IPv4 OS detection (last was done with o Make sure the new version detection sigs have appropriate CPE’s. -o Deal with our out-of-date CA root certificate bundle by either using -OS-specific mechanisms and/or updating the latest from Mozilla or -another source. See http://seclists.org/nmap-dev/2014/q4/200 - o Integrate latest IPv6 OS detection submissions and corrections o Make Windows 8.1 VM with VS 2013 and do more testing of Nmap compilation/running @@ -19,6 +15,21 @@ o Make and test build on a newer OS X than 10.6 (10.10 was recently released) o Update OpenSSL library to 1.0.1j +o Deal with our out-of-date CA root certificate bundle by either using + OS-specific mechanisms and/or updating the latest from Mozilla or + another source. See http://seclists.org/nmap-dev/2014/q4/200 + +o Change Ncat so that it does SSL certificate trust checking by + default (even without --ssl-verify) and provides a warning and the key + fingerprint if there is no valid trusted chain or the cert is + expired, etc. The warning should happen (to STDERR) even if -v is + not specified. We should add a new option to force Ncat to quit if + cert not valid, and --ssl-verify should become an undocumented alias + for that. + +o Figure out what nmap-update is doing for SSL certificate + verification (it uses libsvn to our SSL svn server). + o Audit ncat's ssl algorithm and ciphersuite choices o Do a test/beta release (more, if necessary)