Bug #11812

tails-security-check's CA pinning is not effective on sid

Added by intrigeri 2016-09-19 09:00:41 . Updated 2016-11-15 19:39:57 .

Status:
Resolved
Priority:
Elevated
Assignee:
intrigeri
Category:
Target version:
Start date:
2016-09-19
Due date:
% Done:

100%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Security Check
Deliverable for:

Description

I guess it’s the same on Stretch. The BEGIN block does not work as it used to. This instead seems to work:

    $ua->ssl_opts(verify_hostname => 1);
    $ua->ssl_opts(SSL_ca_file     => $cafile);

To be verified: do we also need to empty SSL_ca_path to avoid the system’s /etc/ssl/certs/ from being used?

Note that we might wish to change the way tails-security-check does HTTPS requests entirely (Feature #11810#note-1) so let’s hold on a bit here.


Subtasks


Related issues

Blocked by Tails - Feature #11810: Have our website CA bundle trust Let's Encrypt CA Resolved 2016-09-19

History

#1 Updated by intrigeri 2016-09-20 02:33:42

  • Description updated

#2 Updated by intrigeri 2016-09-20 02:40:20

  • Description updated

(Tested on Jessie, and there the CA pinning works fine.)

#3 Updated by intrigeri 2016-09-20 02:57:54

  • related to Feature #11810: Have our website CA bundle trust Let's Encrypt CA added

#4 Updated by intrigeri 2016-09-20 02:58:46

  • Description updated

#5 Updated by intrigeri 2016-09-20 08:28:01

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 50

Fixed by my pull request on Feature #11810.

#6 Updated by intrigeri 2016-09-20 08:28:22

  • related to deleted (Feature #11810: Have our website CA bundle trust Let's Encrypt CA)

#7 Updated by intrigeri 2016-09-20 08:28:25

  • blocked by Feature #11810: Have our website CA bundle trust Let's Encrypt CA added

#8 Updated by intrigeri 2016-11-15 10:44:47

  • QA Check set to Ready for QA

Next step is to do the tests documented on Feature #11810#note-4 in a current feature/stretch.

#9 Updated by intrigeri 2016-11-15 19:39:57

  • Status changed from In Progress to Resolved
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

OK tails-security-check should work

OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should work

OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check should fail

OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/ should fail