Feature #8434
Automatically test that Tails Upgrader rejects valid certificates for the wrong hostname
Start date:
2014-12-14
Due date:
% Done:
0%
Description
In features/download_upgrade-description_file/Download_Upgrade-Description_File.feature
, we test some invalid certificate cases, but we don’t test that a valid certificate for a wrong hostname is rejected. We should.
Implementation-wise, we could:
- either get ourselves a valid certificate for a test-only hostname (both the public and private keys will be in our iuk Git repo); this requires the least amount of divergence between the code being tested and the code run in production;
- or use something like TLSPretense, that can generate various kinds of flawed certificates on the fly; it requires adding a CA used by TLSPretense to the list of those trusted by the client; it adds firewall rules to intercept the network traffic
Subtasks
History
#1 Updated by intrigeri 2014-12-14 15:07:45
I just double-checked the code, and we set CURLOPT_SSL_VERIFYPEER
to 1 and CURLOPT_SSL_VERIFYHOST
to 2, so it should be fine, but still: the Perl bindings might be flawed, or something => it’s still worth testing automatically.
#2 Updated by BitingBird 2015-04-10 17:39:54
- Category set to Test suite
That’s for the Test suite, right?