Bug #8404
Deal with our website switching X.509 certificate authority
100%
Description
Our website switched to a new SSL certificate after the release of 1.2.2. This new certificate is signed by a different CA. Tails Upgrader pins the expected CA. We prepared 1.2.2 to update Tails Upgrade to the new CA.
Subtasks
History
#1 Updated by intrigeri 2014-12-07 14:34:08
- Status changed from Confirmed to In Progress
- Assignee deleted (
intrigeri) - Priority changed from High to Urgent
- % Done changed from 0 to 10
- Feature Branch set to bugfix/handle-website-CA-change
#2 Updated by anonym 2014-12-12 16:29:26
- Target version changed from Tails_1.2.2 to Tails_1.2.3
- QA Check set to Dev Needed
The current state of bugfix/handle-website-CA-change (commit fbd5a82) doesn’t deal with that config/chroot_local-includes/usr/local/bin/tails-security-check still pins the old certificate.
We decided to proceed with the already prepared Tails 1.2.2 ISO and IUK that does not fix this since:
1. tails-security-check fails silently, so it won’t confuse users.
2. users of 1.2.2 will still get the appropriate alert to upgrade to 1.2.3.
While this branch will be merged for 1.2.2 to partially fix the situation, we should finish it and merge it again in Tails 1.2.3.
#3 Updated by intrigeri 2014-12-13 08:16:54
- Category deleted (
178)
Changes are also needed in the security check code.
#4 Updated by intrigeri 2014-12-16 18:35:57
- Assignee set to intrigeri
- Priority changed from Urgent to Elevated
- % Done changed from 10 to 20
- The changes for tails-iuk were merged in the iuk repo into the master branch (but not released yet as a .deb, only via the 1.2.2.squashfs in the 1.2.2 emergency release for now).
- The changes for tails-iuk were merged in the main Git repo into the stable branch.
- The work on tails-security-check is still left to be done.
#5 Updated by intrigeri 2014-12-25 18:11:32
Check for upgrades is broken in 1.2.2 (at least since the new certificate was deployed on the website):
Could not download 'https://tails.boum.org/upgrade/v1/Tails/1.2.2/i386/stable/upgrades.yml', request failed (Peer certificate cannot be authenticated with given CA certificates): server certificate verification failed. CAfile: /usr/local/etc/ssl/certs/tails-iuk.pem CRLfile: none
at /usr/bin/tails-iuk-get-upgrade-description-file line 21
at /usr/bin/tails-upgrade-frontend line 22
$ torsocks gnutls-cli -p 443 --print-cert --x509cafile /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem tails.boum.org
Processed 1 CA certificate(s).
Resolving 'tails.boum.org'...
Connecting to '204.13.164.188:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
$ torsocks gnutls-cli -p 443 --print-cert --x509cafile /etc/ssl/certs/AddTrust_External_Root.pem tails.boum.org
Processed 1 CA certificate(s).
Resolving 'tails.boum.org'...
Connecting to '204.13.164.188:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
$ torsocks gnutls-cli -p 443 --print-cert --x509cafile /usr/local/etc/ssl/certs/tails-iuk.pem tails.boum.org
Processed 2 CA certificate(s).
Resolving 'tails.boum.org'...
Connecting to '204.13.164.188:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.gnutls-cli connects just fine without —x509cafile, but:
- Peer’s certificate issuer is unknown
- Peer’s certificate is NOT trusted
#6 Updated by intrigeri 2014-12-28 08:49:55
It would be worth retrying with a bundle that includes the entire CA chain to the certificate that’s in use.
#7 Updated by intrigeri 2014-12-28 08:54:29
- has duplicate
Bug #8494: "Error while checking for upgrades" in Tails 1.2.2 added
#8 Updated by bertagaz 2014-12-29 10:23:58
I’ve done the same test, but with -x509cafile /etc/ssl/certs/ca-certificates.crt, and it seems to works correctly:
$ torsocks gnutls-cli -p 443 —print-cert —x509cafile /etc/ssl/certs/ca-certificates.crt tails.boum.org
Processed 173 CA certificate(s).
Resolving ‘tails.boum.org’…
Connecting to ‘204.13.164.188:443’…
- Certificate type: X.509
- Got a certificate list of 5 certificates.
…
[Certificates list]
…
- Status: The certificate is trusted.
#9 Updated by sajolida 2014-12-29 19:31:27
- related to
Bug #8503: Remove the announcement of 1.2.2 added
#10 Updated by sajolida 2014-12-30 10:23:31
- Description updated
#11 Updated by sajolida 2014-12-30 10:39:44
The SSL test from Qualys Labs is not detecting any serious issue on the server side: https://www.ssllabs.com/ssltest/analyze.html?d=tails.boum.org
#12 Updated by intrigeri 2014-12-30 10:54:29
> I’ve done the same test, but with -x509cafile /etc/ssl/certs/ca-certificates.crt, and it seems to works correctly:
In Tails 1.2.2, or on another kind of Debian system?
#13 Updated by sajolida 2014-12-30 12:03:58
The certificates chain provided by webmail.boum.org and tails.boum.org is different. The one provided by tails.boum.org includes *.boum.org twice (as certificate #1 and #2).
This has been reported by:
https://www.ssllabs.com/ssltest/analyze.html?d=tails.boum.orgtorsocks gnutls-cli -p 443 --print-cert tails.boum.org
When testing gnutls-cli in Tails:
- webmail.boum.org is validated:
torsocks gnutls-cli -p 443 --print-cert --x509cafile /etc/ssl/certs/ca-certificates.crt webmail.boum.orgsays “Handshake was completed” - tails.boum.org fails:
torsocks gnutls-cli -p 443 --print-cert --x509cafile /etc/ssl/certs/ca-certificates.crt tails.boum.orgfails with:
Processed 172 CA certificate(s).
Resolving 'tails.boum.org'...
Connecting to '204.13.164.188:443'...
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.We asked boum.org to remove this duplicate in the certificate chain.
#14 Updated by bertagaz 2014-12-30 12:35:56
boum.org replied they found and fixed an issue in their SSL configuration.
Since then, the upgrade check seems to work by correctly reporting being up-to-date in 1.2.2.
#15 Updated by sajolida 2015-01-01 13:28:27
Now that 1.2.2 checks for upgrade fine, is there anything else that needs to be done before closing this ticket?
#16 Updated by intrigeri 2015-01-01 13:41:06
> Now that 1.2.2 checks for upgrade fine, is there anything else that needs to be done before closing this ticket?
Yes, see comments 3 and 4.
#17 Updated by intrigeri 2015-01-04 13:41:30
- % Done changed from 20 to 30
- bugfix/handle-website-CA-change branch in main Git repo now creates the CA bundle without the CA that signed the old certificate, and names the bundle file in a more generic way
- bugfix/handle-website-CA-change in the IUK Git repo has the changes needed to adjust to the above change
- bugfix/handle-website-CA-change branch in main Git repo updates the security check script to use the new CA bundle
Next step is to test all this.
#18 Updated by intrigeri 2015-01-06 10:11:31
- Assignee deleted (
intrigeri) - % Done changed from 30 to 50
- QA Check changed from Dev Needed to Ready for QA
#19 Updated by intrigeri 2015-01-06 10:11:53
- Description updated
#20 Updated by anonym 2015-01-13 14:12:12
- Assignee set to anonym
#21 Updated by anonym 2015-01-13 19:20:26
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
Merged!
#22 Updated by anonym 2015-01-13 19:25:04
- Status changed from In Progress to Fix committed
#23 Updated by BitingBird 2015-01-15 03:50:54
- Status changed from Fix committed to Resolved