Bug #8536
tails-security-check fails open if passed an empty or otherwise useless CA file
Start date:
2015-01-06
Due date:
% Done:
100%
Description
If I empty the CA bundle file passed to that script, it still manages to download the Atom feed without complaining.
Subtasks
History
#1 Updated by intrigeri 2015-01-06 10:04:49
- Affected tool set to Security Check
#2 Updated by intrigeri 2015-02-10 19:02:03
- Subject changed from tails-security-check CA pinning doesn't work to tails-security-check fails open if passed an empty or otherwise useless CA file
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to bugfix/8536-security-check-CA-pinning
Actually, it does work, as long as the specified CA file exists and is not empty. Unfortunately, the underlying HTTPS stack fails open when passed a non-existing or empty CA file. So I’m adding checks to ensure we fail close in such cases, and also so that I’m not confused about this next time.
#3 Updated by intrigeri 2015-02-10 19:40:04
- Assignee changed from intrigeri to anonym
- % Done changed from 10 to 50
- QA Check set to Ready for QA
#4 Updated by Tails 2015-02-11 11:58:18
- Status changed from In Progress to Fix committed
- % Done changed from 50 to 100
Applied in changeset commit:eb510638089736a52335ef1f91ab18d7894e3fec.
#5 Updated by anonym 2015-02-11 12:00:12
- Assignee deleted (
anonym) - QA Check changed from Ready for QA to Pass
#6 Updated by BitingBird 2015-02-24 22:46:55
- Status changed from Fix committed to Resolved