Feature #11810

Have our website CA bundle trust Let's Encrypt CA

Added by intrigeri 2016-09-19 07:22:29 . Updated 2016-11-15 18:23:33 .

Status:
Resolved
Priority:
High
Assignee:
Category:
Target version:
Tails_2.7
Start date:
2016-09-19
Due date:
% Done:

100%

Feature Branch:
feature/11810-lets-encrypt, perl5lib:feature/11810-lets-encrypt
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Upgrader
Deliverable for:

Description

We’re told that https://tails.b.o will likely switch to Let’s Encrypt certificates around the end of the year, so config/chroot_local-hooks/58-create-tails-website-CA-bundle needs to add Let’s Encrypt CA. We probably need to add Let’s Encrypt intermediate CA (currently signed by IdenTrust’s root CA): if we instead added IdenTrust’s root CA, then things might start breaking once Let’s Encrypt starts delivering certificates signed by its intermediate CA, itself signed by their own root CA (technically there will still be a trust path but the files set up by Let’s Encrypt client on the web server may not advertise it so our clients won’t know about it). See https://letsencrypt.org/2016/08/05/le-root-to-be-trusted-by-mozilla.html.

Subtasks

Related issues

Blocks Tails - Bug #11812: tails-security-check's CA pinning is not effective on sid Resolved 2016-09-19

History

#1 Updated by intrigeri 2016-09-20 02:57:37

For labs.r.n, that uses a Let’s Encrypt -issued certificate signed by Let’s Encrypt intermediate CA, itself signed by the DST root ca, both work:

gnutls-cli --verbose  --port 443 --x509cafile /tmp/letsencrypt-intermediate.pem labs.riseup.net
gnutls-cli --verbose  --port 443 --x509cafile /etc/ssl/certs/DST_Root_CA_X3.pem labs.riseup.net
curl --cacert /tmp/letsencrypt-intermediate.pem --capath . https://labs.riseup.net/test/tails.boum.org/security/index.en.atom

As explained above, using the DST root CA is risky, so apparently we could use Let’s Encrypt’s intermediate CA if the actual consumers of this CA (tails-security-check and Tails Upgrader), and the libraries that they use, can do that just like gnutls-cli. Let’s see:

  • tails-security-check uses IO::Socket::SSL and Net::SSLeay. Pinning the intermediary CA fails (tested with HTTPS_CA_FILE=./letsencrypt-intermediate.pem tails-security-check after patching the script to set $default_base_url = 'https://labs.riseup.net/test/tails.boum.org/security/'). Pinning the root CA works (HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check).
  • Tails Upgrader uses Tails::Download::HTTPS, that itself uses WWW::Curl::Easy. Pinning the intermediary CA works fine (tested with /usr/local/bin/tails-upgrade-frontend-wrapper --override-baseurl https://labs.riseup.net/test/tails.boum.org after patching /usr/share/perl5/Tails/Download/HTTPS.pm to set $cafile = '/tmp/letsencrypt-intermediate.pem').

So, if tails-security-check was modified to use Tails::Download::HTTPS, then we would be able to pin Let’s Encrypt intermediate CA, and thus support both the current situation (intermediate CA signed by the DST root CA) and the future one (intermediate CA signed with Let’s Encrypt’s own root CA).

Next step is to check if this would work fine on Stretch as well.

#2 Updated by intrigeri 2016-09-20 02:57:54

  • related to Bug #11812: tails-security-check's CA pinning is not effective on sid added

#3 Updated by intrigeri 2016-09-20 03:56:26

intrigeri wrote:
> Next step is to check if this would work fine on Stretch as well.

Pinning the intermediate CA still works for Tails Upgrader on feature/stretch. So next step is to try and convert tails-security-check to use Tails::Download::HTTPS.

#4 Updated by intrigeri 2016-09-20 07:23:40

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/11810-lets-encrypt, perl5lib:feature/11810-lets-encrypt

I’ve released tails-perl5lib 0.9.7 from my topic branch and built+imported a 0.9.7-1 package from it. That’s bold, i.e. if we don’t want these changes in the end then we’ll need to revert stuff on the debian branch of the perl5lib repo. But the only change there is a simple one-liner so I wanted to save everyone (bertagaz and I) some time.

Testing protocol:

  • Tails 2.5
    • tails-security-check should work
    • tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • feature/11810-lets-encrypt
    • tails-security-check should work
    • tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • Tails 3.x
    • tails-security-check should work
    • tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail

#5 Updated by intrigeri 2016-09-20 08:27:19

  • Assignee changed from intrigeri to bertagaz
  • % Done changed from 10 to 50
  • QA Check set to Ready for QA

Test results:

  • Tails 2.5
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • feature/11810-lets-encrypt
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • current feature/stretch + feature/11810-lets-encrypt except the perl5lib change proposed on this ticket
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • FAIL (which demonstrates the bug fixed in perl5lib) HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • FAIL (which demonstrates the bug fixed in perl5lib) HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail
  • Tails 3.x + feature/11810-lets-encrypt
    • OK tails-security-check should work
    • OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work
    • OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail
    • OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail

All this seems good so please review’n’merge feature/11810-lets-encrypt into stable (tails.git) and feature/11810-lets-encrypt into master (perl5lib.git).

#6 Updated by intrigeri 2016-09-20 08:28:22

  • related to deleted (Bug #11812: tails-security-check's CA pinning is not effective on sid)

#7 Updated by intrigeri 2016-09-20 08:28:25

  • blocks Bug #11812: tails-security-check's CA pinning is not effective on sid added

#8 Updated by bertagaz 2016-09-30 11:50:57

  • Status changed from In Progress to Fix committed
  • % Done changed from 50 to 100

Applied in changeset commit:8e60f866d42bf29d0de4b3ef864d882852289b98.

#9 Updated by bertagaz 2016-09-30 12:00:39

  • Assignee deleted (bertagaz)
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:
> All this seems good so please review’n’merge feature/11810-lets-encrypt into stable (tails.git) and feature/11810-lets-encrypt into master (perl5lib.git).

My own testing tends to confirm yours, so I’ve merged it. Nice to catch things early for once!

#10 Updated by intrigeri 2016-09-30 13:41:45

> My own testing tends to confirm yours,

“tends to”? Do you mean it does not fully confirm my testing?

> Nice to catch things early for once!

:)

#11 Updated by bertagaz 2016-09-30 14:38:06

intrigeri wrote:
> > My own testing tends to confirm yours,
>
> “tends to”? Do you mean it does not fully confirm my testing?

No, they are! :)

#12 Updated by bertagaz 2016-11-15 18:23:33

  • Status changed from Fix committed to Resolved