zgrab2 icon indicating copy to clipboard operation
zgrab2 copied to clipboard

Published 20 hours ago verified publisher icon zmap

Zgrab2 cannot automatically load the root certificate of the operating system

Open jiaocoll opened this issue 1 year ago • 2 comments

Using the tls function of zgrab2, it was found that almost all tls requests were unable to verify the certificate chain, with surprisingly consistent error codes of x509: failed to load system roots and no roots provided. What I expect is that zgrab2 can automatically load the root certificate of the operating system itself when I do not specify the root certificate parameters. But it didn't load. Later, by looking at the code, it was discovered that zcrypto seemed to have removed the part of the code that loaded the root certificate based on the system? I think the parameters should be optional, not mandatory. When I don't specify a certificate, zgrab2 should automatically load the root certificate of the operating system.

jiaocoll avatar Apr 12 '24 05:04 jiaocoll

Using the tls function of zgrab2, it was found that almost all tls requests were unable to verify the certificate chain, with surprisingly consistent error codes of x509: failed to load system roots and no roots provided.

What I expect is that zgrab2 can automatically load the root certificate of the operating system itself when I do not specify the root certificate parameters. But it didn't load. Later, by looking at the code, it was discovered that zcrypto seemed to have removed the part of the code that loaded the root certificate based on the system?

I think the parameters should be optional, not mandatory. When I don't specify a certificate, zgrab2 should automatically load the root certificate of the operating system.

Personally I prefer that it doesn't try to automatically do anything not explicitly asked of it (like search for/guess where the CA bundle is on my system)

If you're saying that even when explicitly specified, it doesn't load the bundle, that may be an issue you can create in the zcrypto project

Maybe there's a reason it was removed, but seems it would be harmless to have it reference a bundle, but only if explicitly specified. There may be complications to changing that though, I'm not familiar with the code

tl; dr; this is probably better as an issue in the zcrypto repo

mzpqnxow avatar Aug 04 '24 13:08 mzpqnxow

Can this be closed? I don't see any immediate interest from the maintainers to change the current behavior as I believe it was a very deliberate choice on their part

(Which I happen to agree with, by the way- I'm not sure that there is any portable, standard, straightforward way to determine where the system CA bundle is stored on a given system as I believe distribution maintains are free to choose this location; determining this automatically would be a clunky solution and would probably require continuous code changes)

mzpqnxow avatar Oct 12 '24 11:10 mzpqnxow

Yeah I think I agree, on Mac the process looks like running

security export -t certs -f pemseq -k /System/Library/Keychains/SystemRootCertificates.keychain -o /tmp/all_certs.pem

And this feels like something we don't want ZGrab doing by default. If people have strong objections, we can revisit, but I'm closing this issue for now.

phillip-stephens avatar May 06 '25 20:05 phillip-stephens