Pier Angelo Vendrame pushed to branch tor-browser-115.6.0esr-13.5-1 at The Tor Project / Applications / Tor Browser

Commits:

1 changed file:

Changes:

  • security/certverifier/CertVerifier.cpp
    ... ... @@ -865,12 +865,15 @@ Result CertVerifier::VerifySSLServerCert(
    865 865
           // find other certificates with the same subject but different keys, and
    
    866 866
           // the certificate is self-signed.
    
    867 867
           if (StringEndsWith(hostname, ".onion"_ns)) {
    
    868
    -        // Self signed cert over onion is deemed secure, the hidden service
    
    869
    -        // provides authentication. We defer returning this error and keep
    
    870
    -        // processing to determine if there are other legitimate certificate
    
    871
    -        // errors (such as expired, wrong domain) that we would like to surface
    
    872
    -        // to the user
    
    873
    -        errOnionWithSelfSignedCert = true;
    
    868
    +        // Self signed cert over onion is deemed secure in some cases, as the
    
    869
    +        // onion service provides encryption.
    
    870
    +        // Firefox treats some errors as self-signed certificates and it allows
    
    871
    +        // to override them. For Onion services, we prefer being stricter, and
    
    872
    +        // we return the original errors.
    
    873
    +        // Moreover, we need also to determine if there are other legitimate
    
    874
    +        // certificate errors (such as expired, wrong domain) that we would like
    
    875
    +        // to surface to the user.
    
    876
    +        errOnionWithSelfSignedCert = rv == Result::ERROR_UNKNOWN_ISSUER;
    
    874 877
           } else {
    
    875 878
             return Result::ERROR_SELF_SIGNED_CERT;
    
    876 879
           }