1744561 – nmap-ncat package missing /usr/share/ncat/ca-bundle.crt

Bug 1744561 - nmap-ncat package missing /usr/share/ncat/ca-bundle.crt

Summary: nmap-ncat package missing /usr/share/ncat/ca-bundle.crt

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nmap
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Pavel Zhukov
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-22 12:32 UTC by dwgoldfarb
Modified:	2019-08-23 08:07 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-08-23 08:07:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description dwgoldfarb 2019-08-22 12:32:16 UTC

Description of problem:

/usr/bin/ncat attempts to access missing file /usr/share/ncat/ca-bundle.crt


Version-Release number of selected component (if applicable):

rpm -qi nmap-ncat

Name        : nmap-ncat
Epoch       : 2
Version     : 7.70
Release     : 7.fc30
Architecture: x86_64
Install Date: Fri 16 Aug 2019 10:22:34 AM EDT
Group       : Unspecified
Size        : 622582
License     : Nmap
Signature   : RSA/SHA256, Thu 02 May 2019 09:16:21 AM EDT, Key ID ef3c111fcfc659b9
Source RPM  : nmap-7.70-7.fc30.src.rpm
Build Date  : Thu 02 May 2019 09:02:49 AM EDT
Build Host  : buildhw-03.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://nmap.org/
Bug URL     : https://bugz.fedoraproject.org/nmap
Summary     : Nmap's Netcat replacement




How reproducible:

Error is seen in command:

/usr/bin/ncat -vvv --proxy localhost:9050 --proxy-type socks5 1.2.3.4 22

The command above gives "Proxy connection failed: connection refused"




Steps to Reproduce:


/usr/bin/ncat -vvv --proxy localhost:9050 --proxy-type socks5 1.2.3.4 22


Actual results:

Ncat: Version 7.70 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /usr/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from /usr/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory
Ncat: Proxy connection failed: Connection refused.


Using the command:

strings /usr/bin/ncat | grep ca-bundle 

shows this path /usr/share/ncat/ca-bundle.crt is hard coded into ncat binary.




I subsequently discovered that changing 'localhost' to 127.0.0.1 allowed connection to continue, but I still see the DEBUG error message to access the ca-bundle.crt file.


/usr/bin/ncat -vvv --proxy 127.0.0.1:9050 --proxy-type socks5 1.2.3.4 22



Expected results:

Three possible resolutions as I see it:

1) Update the ncat source with hardcoded reference to /etc/pki/tls/certs/ca-bundle.crt instead of /usr/share/ncat/ca-bundle.crt

2) The nmap-ncat RPM postinstall script could create the directory and softlink to /etc/pki/tls/certs/ca-bundle.crt 

3) Include /usr/share/ncat/ca-bundle.crt in the nmap-ncat rpm



Additional info:

Fresh install of Fedora30 with all updates

Comment 1 Pavel Zhukov 2019-08-23 08:07:30 UTC

The debug message is harmless. It reports it's failed to load _additional_ certificates and should not affect ssl verification. ncat's ca-bundle.crt is not installed if openssl support was enabled which is the case for Fedora. 
See https://github.com/nmap/nmap/blob/master/ncat/certs/README

Note You need to log in before you can comment on or make changes to this bug.