tails-security-check's CA pinning is not effective on sid
I guess it's the same on Stretch. The
BEGIN block does not work as it used to. This instead seems to work:
$ua->ssl_opts(verify_hostname => 1); $ua->ssl_opts(SSL_ca_file => $cafile);
To be verified: do we also need to empty
SSL_ca_path to avoid the system's
/etc/ssl/certs/ from being used?
Note that we might wish to change the way
tails-security-check does HTTPS requests entirely (#11810#note-1) so let's hold on a bit here.
#9 Updated by intrigeri about 3 years ago
- Status changed from In Progress to Resolved
- % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
tails-security-check https://labs.riseup.net/test/tails.boum.org/security/should work
HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-checkshould fail
HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/should fail