95048 – Metasploit Framwork Certificate Update

Bug 95048 - Metasploit Framwork Certificate Update

Summary: Metasploit Framwork Certificate Update

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High major (vote)
Assignee:	Gentoo Netmon project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-06-04 11:50 UTC by H D Moore
Modified:	2005-06-04 17:56 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description H D Moore 2005-06-04 11:50:02 UTC

The CA certificate for the Metasploit Framework update server has changed. This
will prevent the msfupdate feature from working until the certificate is updated
in the ebuild. The 2.4 packages have been updated and re-released with the new
CA cert. Please refer to
http://metasploit.com/projects/Framework/docs/ssl_update.txt for details. To fix
this issue, just replace the current framework-2.4.tar.gz with the one available
from the Downloads page at metasploit.com and update the MD5.

Reproducible: Always
Steps to Reproduce:
1. msfupdate -u
2. Look for the SSL error


Actual Results:  
SSL error

Expected Results:  
List of available updates or "no updates found" message

Comment 1 Marcelo Goes (RETIRED) gentoo-dev

2005-06-04 15:35:18 UTC

After getting the framework from their mirrors, I regenerated the digest,
re-emerged the package and I am still getting the SSL problem. Will try again later.

Comment 2 Marcelo Goes (RETIRED) gentoo-dev

2005-06-04 16:10:42 UTC

My bad, didn't realize the new correct file had -snapshot in it.
Thanks for reporting, in cvs.

Comment 3 H D Moore 2005-06-04 16:11:54 UTC

The new correct file is not the snapshot (that changes md5's everytime there is
an update). The following log shows that the standard 2.4 package appears to be
fixed.

outernet ~ # wget metasploit.com/tools/framework-2.4.tar.gz
--18:09:41--  http://metasploit.com/tools/framework-2.4.tar.gz
           => `framework-2.4.tar.gz'
Resolving metasploit.com... 66.234.161.200
Connecting to metasploit.com[66.234.161.200]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2,607,730 [application/x-tar]

100%[================================================================>]
2,607,730    598.59K/s    ETA 00:00

18:09:45 (594.52 KB/s) - `framework-2.4.tar.gz' saved [2607730/2607730]

outernet ~ # tar -zpxf framework-2.4.tar.gz
outernet ~ # md5sum framework-2.4.tar.gz
cb3319b92399c7fab68c742dc750589e  framework-2.4.tar.gz
outernet ~ # cd framework-2.4
outernet framework-2.4 # ./msfupdate -u

+ -- --=[ msfupdate v2.4 [revision 1.39]

[*] Calculating local file checksums, please wait...

[*] No new updates are available
outernet framework-2.4 #

Comment 4 Marcelo Goes (RETIRED) gentoo-dev

2005-06-04 16:47:47 UTC

Hmmm, you're right. I don't know why it didn't work before, but the current
release works now. Fixed in cvs.

Thanks again and sorry for making a fool out of myself.

Comment 5 H D Moore 2005-06-04 17:56:22 UTC

I am the one who lost the CA key, no worries ;-) Thanks!