Project

General

Profile

Feature #11810

Feature #11809: Deal with tails.b.o's X.509 certificate expiring early 2017

Have our website CA bundle trust Let's Encrypt CA

Added by intrigeri about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
Start date:
09/19/2016
Due date:
% Done:

100%

Feature Branch:
feature/11810-lets-encrypt, perl5lib:feature/11810-lets-encrypt
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Upgrader

Description

We're told that https://tails.b.o will likely switch to Let's Encrypt certificates around the end of the year, so config/chroot_local-hooks/58-create-tails-website-CA-bundle needs to add Let's Encrypt CA. We probably need to add Let's Encrypt intermediate CA (currently signed by IdenTrust's root CA): if we instead added IdenTrust's root CA, then things might start breaking once Let's Encrypt starts delivering certificates signed by its intermediate CA, itself signed by their own root CA (technically there will still be a trust path but the files set up by Let's Encrypt client on the web server may not advertise it so our clients won't know about it). See https://letsencrypt.org/2016/08/05/le-root-to-be-trusted-by-mozilla.html.


Related issues

Blocks Tails - Bug #11812: tails-security-check's CA pinning is not effective on sid Resolved 09/19/2016

Associated revisions

Revision 5df4ada3 (diff)
Added by intrigeri about 3 years ago

Port tails-security-check to use Tails::Download::HTTPS.

This is needed to pin Let's Encrypt intermediate CA, which is not supported by
IO::Socket::SSL and Net::SSLeay. For details, see:
https://labs.riseup.net/code/issues/11810#note-1.

Besides, it's much cleaner and easier to maintain to have one single (somewhat
hardened) HTTPS download implementation, that's covered quite a bit by
tails-iuk's test suite, instead of having to maintain a second one just for
tails-security-check.

refs: #11810

Revision b0e3da3a (diff)
Added by intrigeri about 3 years ago

Import Let's Encrypt intermediate CA.

refs: #11810

Revision 0311be12 (diff)
Added by intrigeri about 3 years ago

Add Let's Encrypt intermediate CA to the bundle used for authenticating our website.

refs: #11810

Revision 8e60f866
Added by bertagaz about 3 years ago

Merge remote-tracking branch 'origin/feature/11810-lets-encrypt' into stable

Fix-committed: #11810

History

#1 Updated by intrigeri about 3 years ago

For labs.r.n, that uses a Let's Encrypt -issued certificate signed by Let's Encrypt intermediate CA, itself signed by the DST root ca, both work:

gnutls-cli --verbose  --port 443 --x509cafile /tmp/letsencrypt-intermediate.pem labs.riseup.net
gnutls-cli --verbose  --port 443 --x509cafile /etc/ssl/certs/DST_Root_CA_X3.pem labs.riseup.net
curl --cacert /tmp/letsencrypt-intermediate.pem --capath . https://labs.riseup.net/test/tails.boum.org/security/index.en.atom

As explained above, using the DST root CA is risky, so apparently we could use Let's Encrypt's intermediate CA if the actual consumers of this CA (tails-security-check and Tails Upgrader), and the libraries that they use, can do that just like gnutls-cli. Let's see:

  • tails-security-check uses IO::Socket::SSL and Net::SSLeay. Pinning the intermediary CA fails (tested with HTTPS_CA_FILE=./letsencrypt-intermediate.pem tails-security-check after patching the script to set $default_base_url = 'https://labs.riseup.net/test/tails.boum.org/security/'). Pinning the root CA works (HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check).
  • Tails Upgrader uses Tails::Download::HTTPS, that itself uses WWW::Curl::Easy. Pinning the intermediary CA works fine (tested with /usr/local/bin/tails-upgrade-frontend-wrapper --override-baseurl https://labs.riseup.net/test/tails.boum.org after patching /usr/share/perl5/Tails/Download/HTTPS.pm to set $cafile = '/tmp/letsencrypt-intermediate.pem').

So, if tails-security-check was modified to use Tails::Download::HTTPS, then we would be able to pin Let's Encrypt intermediate CA, and thus support both the current situation (intermediate CA signed by the DST root CA) and the future one (intermediate CA signed with Let's Encrypt's own root CA).

Next step is to check if this would work fine on Stretch as well.

#2 Updated by intrigeri about 3 years ago

  • Related to Bug #11812: tails-security-check's CA pinning is not effective on sid added

#3 Updated by intrigeri about 3 years ago

intrigeri wrote:

Next step is to check if this would work fine on Stretch as well.

Pinning the intermediate CA still works for Tails Upgrader on feature/stretch. So next step is to try and convert tails-security-check to use Tails::Download::HTTPS.

#4 Updated by intrigeri about 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/11810-lets-encrypt, perl5lib:feature/11810-lets-encrypt

I've released tails-perl5lib 0.9.7 from my topic branch and built+imported a 0.9.7-1 package from it. That's bold, i.e. if we don't want these changes in the end then we'll need to revert stuff on the debian branch of the perl5lib repo. But the only change there is a simple one-liner so I wanted to save everyone (bertagaz and I) some time.

Testing protocol:

  • Tails 2.5
    • tails-security-check should work
    • tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • feature/11810-lets-encrypt
    • tails-security-check should work
    • tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • Tails 3.x
    • tails-security-check should work
    • tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail

#5 Updated by intrigeri about 3 years ago

  • Assignee changed from intrigeri to bertagaz
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Test results:

  • Tails 2.5
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • feature/11810-lets-encrypt
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • current feature/stretch + feature/11810-lets-encrypt except the perl5lib change proposed on this ticket
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • FAIL (which demonstrates the bug fixed in perl5lib) HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • FAIL (which demonstrates the bug fixed in perl5lib) HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • Tails 3.x + feature/11810-lets-encrypt
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail

All this seems good so please review'n'merge feature/11810-lets-encrypt into stable (tails.git) and feature/11810-lets-encrypt into master (perl5lib.git).

#6 Updated by intrigeri about 3 years ago

  • Related to deleted (Bug #11812: tails-security-check's CA pinning is not effective on sid)

#7 Updated by intrigeri about 3 years ago

  • Blocks Bug #11812: tails-security-check's CA pinning is not effective on sid added

#8 Updated by bertagaz about 3 years ago

  • Status changed from In Progress to 11
  • % Done changed from 50 to 100

#9 Updated by bertagaz about 3 years ago

  • Assignee deleted (bertagaz)
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:

All this seems good so please review'n'merge feature/11810-lets-encrypt into stable (tails.git) and feature/11810-lets-encrypt into master (perl5lib.git).

My own testing tends to confirm yours, so I've merged it. Nice to catch things early for once!

#10 Updated by intrigeri about 3 years ago

My own testing tends to confirm yours,

"tends to"? Do you mean it does not fully confirm my testing?

Nice to catch things early for once!

:)

#11 Updated by bertagaz about 3 years ago

intrigeri wrote:

My own testing tends to confirm yours,

"tends to"? Do you mean it does not fully confirm my testing?

No, they are! :)

#12 Updated by bertagaz about 3 years ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF