tails-security-check fails open if passed an empty or otherwise useless CA file
If I empty the CA bundle file passed to that script, it still manages to download the Atom feed without complaining.
#2 Updated by intrigeri almost 5 years ago
- Subject changed from tails-security-check CA pinning doesn't work to tails-security-check fails open if passed an empty or otherwise useless CA file
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to bugfix/8536-security-check-CA-pinning
Actually, it does work, as long as the specified CA file exists and is not empty. Unfortunately, the underlying HTTPS stack fails open when passed a non-existing or empty CA file. So I'm adding checks to ensure we fail close in such cases, and also so that I'm not confused about this next time.