Bug #11812
tails-security-check's CA pinning is not effective on sid
100%
Description
I guess it’s the same on Stretch. The BEGIN
block does not work as it used to. This instead seems to work:
$ua->ssl_opts(verify_hostname => 1);
$ua->ssl_opts(SSL_ca_file => $cafile);
To be verified: do we also need to empty SSL_ca_path
to avoid the system’s /etc/ssl/certs/
from being used?
Note that we might wish to change the way tails-security-check
does HTTPS requests entirely (Feature #11810#note-1) so let’s hold on a bit here.
Subtasks
Related issues
Blocked by Tails - |
Resolved | 2016-09-19 |
History
#1 Updated by intrigeri 2016-09-20 02:33:42
- Description updated
#2 Updated by intrigeri 2016-09-20 02:40:20
- Description updated
(Tested on Jessie, and there the CA pinning works fine.)
#3 Updated by intrigeri 2016-09-20 02:57:54
- related to
Feature #11810: Have our website CA bundle trust Let's Encrypt CA added
#4 Updated by intrigeri 2016-09-20 02:58:46
- Description updated
#5 Updated by intrigeri 2016-09-20 08:28:01
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 50
Fixed by my pull request on Feature #11810.
#6 Updated by intrigeri 2016-09-20 08:28:22
- related to deleted (
)Feature #11810: Have our website CA bundle trust Let's Encrypt CA
#7 Updated by intrigeri 2016-09-20 08:28:25
- blocked by
Feature #11810: Have our website CA bundle trust Let's Encrypt CA added
#8 Updated by intrigeri 2016-11-15 10:44:47
- QA Check set to Ready for QA
Next step is to do the tests documented on Feature #11810#note-4 in a current feature/stretch.
#9 Updated by intrigeri 2016-11-15 19:39:57
- Status changed from In Progress to Resolved
- % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
OK tails-security-check
should work
OK tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should work
OK HTTPS_CA_FILE=/etc/ssl/certs/DST_Root_CA_X3.pem tails-security-check
should fail
OK HTTPS_CA_FILE=/etc/ssl/certs/AddTrust_External_Root.pem tails-security-check https://labs.riseup.net/test/tails.boum.org/security/
should fail