Feature #11810
Have our website CA bundle trust Let's Encrypt CA
100%
Description
We’re told that https://tails.b.o will likely switch to Let’s Encrypt certificates around the end of the year, so config/chroot_local-hooks/58-create-tails-website-CA-bundle
needs to add Let’s Encrypt CA. We probably need to add Let’s Encrypt intermediate CA (currently signed by IdenTrust’s root CA): if we instead added IdenTrust’s root CA, then things might start breaking once Let’s Encrypt starts delivering certificates signed by its intermediate CA, itself signed by their own root CA (technically there will still be a trust path but the files set up by Let’s Encrypt client on the web server may not advertise it so our clients won’t know about it). See https://letsencrypt.org/2016/08/05/le-root-to-be-trusted-by-mozilla.html.
Subtasks
Related issues
Blocks Tails - |
Resolved | 2016-09-19 |
History
#1 Updated by intrigeri 2016-09-20 02:57:37
For labs.r.n, that uses a Let’s Encrypt -issued certificate signed by Let’s Encrypt intermediate CA, itself signed by the DST root ca, both work:
gnutls-cli --verbose --port 443 --x509cafile /tmp/letsencrypt-intermediate.pem labs.riseup.net
gnutls-cli --verbose --port 443 --x509cafile /etc/ssl/certs/DST_Root_CA_X3.pem labs.riseup.net
curl --cacert /tmp/letsencrypt-intermediate.pem --capath . https://labs.riseup.net/test/tails.boum.org/security/index.en.atom
As explained above, using the DST root CA is risky, so apparently we could use Let’s Encrypt’s intermediate CA if the actual consumers of this CA (tails-security-check
and Tails Upgrader), and the libraries that they use, can do that just like gnutls-cli
. Let’s see:
tails-security-check
usesIO::Socket::SSL
andNet::SSLeay
. Pinning the intermediary CA fails (tested withHTTPS_CA_FILE=./letsencrypt-intermediate.pem tails-security-check
after patching the script to set$default_base_url = 'https://labs.riseup.net/test/tails.boum.org/security/'
). Pinning the root CA works (HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
).- Tails Upgrader uses
Tails::Download::HTTPS
, that itself usesWWW::Curl::Easy
. Pinning the intermediary CA works fine (tested with/usr/local/bin/tails-upgrade-frontend-wrapper --override-baseurl https://labs.riseup.net/test/tails.boum.org
after patching/usr/share/perl5/Tails/Download/HTTPS.pm
to set$cafile = '/tmp/letsencrypt-intermediate.pem'
).
So, if tails-security-check
was modified to use Tails::Download::HTTPS
, then we would be able to pin Let’s Encrypt intermediate CA, and thus support both the current situation (intermediate CA signed by the DST root CA) and the future one (intermediate CA signed with Let’s Encrypt’s own root CA).
Next step is to check if this would work fine on Stretch as well.
#2 Updated by intrigeri 2016-09-20 02:57:54
- related to
Bug #11812: tails-security-check's CA pinning is not effective on sid added
#3 Updated by intrigeri 2016-09-20 03:56:26
intrigeri wrote:
> Next step is to check if this would work fine on Stretch as well.
Pinning the intermediate CA still works for Tails Upgrader on feature/stretch. So next step is to try and convert tails-security-check
to use Tails::Download::HTTPS
.
#4 Updated by intrigeri 2016-09-20 07:23:40
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to feature/11810-lets-encrypt, perl5lib:feature/11810-lets-encrypt
I’ve released tails-perl5lib 0.9.7 from my topic branch and built+imported a 0.9.7-1 package from it. That’s bold, i.e. if we don’t want these changes in the end then we’ll need to revert stuff on the debian
branch of the perl5lib repo. But the only change there is a simple one-liner so I wanted to save everyone (bertagaz and I) some time.
Testing protocol:
- Tails 2.5
tails-security-check
should worktails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should failHTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should failHTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
- feature/11810-lets-encrypt
tails-security-check
should worktails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should workHTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should failHTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
- Tails 3.x
tails-security-check
should worktails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should workHTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should failHTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
#5 Updated by intrigeri 2016-09-20 08:27:19
- Assignee changed from intrigeri to bertagaz
- % Done changed from 10 to 50
- QA Check set to Ready for QA
Test results:
- Tails 2.5
- OK
tails-security-check
should work - OK
tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail - OK
HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should fail - OK
HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
- OK
- feature/11810-lets-encrypt
- OK
tails-security-check
should work - OK
tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should work - OK
HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should fail - OK
HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
- OK
- current feature/stretch + feature/11810-lets-encrypt except the perl5lib change proposed on this ticket
- OK
tails-security-check
should work - OK
tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should work - FAIL (which demonstrates the bug fixed in perl5lib)
HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should fail - FAIL (which demonstrates the bug fixed in perl5lib)
HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
- OK
- Tails 3.x + feature/11810-lets-encrypt
- OK
tails-security-check
should work - OK
tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should work - OK
HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should fail - OK
HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail
- OK
All this seems good so please review’n’merge feature/11810-lets-encrypt into stable (tails.git) and feature/11810-lets-encrypt into master (perl5lib.git).
#6 Updated by intrigeri 2016-09-20 08:28:22
- related to deleted (
)Bug #11812: tails-security-check's CA pinning is not effective on sid
#7 Updated by intrigeri 2016-09-20 08:28:25
- blocks
Bug #11812: tails-security-check's CA pinning is not effective on sid added
#8 Updated by bertagaz 2016-09-30 11:50:57
- Status changed from In Progress to Fix committed
- % Done changed from 50 to 100
Applied in changeset commit:8e60f866d42bf29d0de4b3ef864d882852289b98.
#9 Updated by bertagaz 2016-09-30 12:00:39
- Assignee deleted (
bertagaz) - QA Check changed from Ready for QA to Pass
intrigeri wrote:
> All this seems good so please review’n’merge feature/11810-lets-encrypt into stable (tails.git) and feature/11810-lets-encrypt into master (perl5lib.git).
My own testing tends to confirm yours, so I’ve merged it. Nice to catch things early for once!
#10 Updated by intrigeri 2016-09-30 13:41:45
> My own testing tends to confirm yours,
“tends to”? Do you mean it does not fully confirm my testing?
> Nice to catch things early for once!
:)
#11 Updated by bertagaz 2016-09-30 14:38:06
intrigeri wrote:
> > My own testing tends to confirm yours,
>
> “tends to”? Do you mean it does not fully confirm my testing?
No, they are! :)
#12 Updated by bertagaz 2016-11-15 18:23:33
- Status changed from Fix committed to Resolved