Project

General

Profile

Bug #11812

tails-security-check's CA pinning is not effective on sid

Added by intrigeri about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
-
Target version:
Start date:
09/19/2016
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Security Check

Description

I guess it's the same on Stretch. The BEGIN block does not work as it used to. This instead seems to work:

    $ua->ssl_opts(verify_hostname => 1);
    $ua->ssl_opts(SSL_ca_file     => $cafile);

To be verified: do we also need to empty SSL_ca_path to avoid the system's /etc/ssl/certs/ from being used?

Note that we might wish to change the way tails-security-check does HTTPS requests entirely (#11810#note-1) so let's hold on a bit here.


Related issues

Blocked by Tails - Feature #11810: Have our website CA bundle trust Let's Encrypt CA Resolved 09/19/2016

History

#1 Updated by intrigeri about 3 years ago

  • Description updated (diff)

#2 Updated by intrigeri about 3 years ago

  • Description updated (diff)

(Tested on Jessie, and there the CA pinning works fine.)

#3 Updated by intrigeri about 3 years ago

  • Related to Feature #11810: Have our website CA bundle trust Let's Encrypt CA added

#4 Updated by intrigeri about 3 years ago

  • Description updated (diff)

#5 Updated by intrigeri about 3 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

Fixed by my pull request on #11810.

#6 Updated by intrigeri about 3 years ago

  • Related to deleted (Feature #11810: Have our website CA bundle trust Let's Encrypt CA)

#7 Updated by intrigeri about 3 years ago

  • Blocked by Feature #11810: Have our website CA bundle trust Let's Encrypt CA added

#8 Updated by intrigeri about 3 years ago

  • QA Check set to Ready for QA

Next step is to do the tests documented on #11810#note-4 in a current feature/stretch.

#9 Updated by intrigeri about 3 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass
  • OK tails-security-check should work
  • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
  • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
  • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail

Also available in: Atom PDF