Pier Angelo Vendrame pushed to branch tor-browser-115.6.0esr-13.5-1 at The Tor Project / Applications / Tor Browser
Commits:
- 
56ae0dfc
by Pier Angelo Vendrame at 2023-12-13T16:55:36+01:00
1 changed file:
Changes:
| ... | ... | @@ -865,12 +865,15 @@ Result CertVerifier::VerifySSLServerCert( | 
| 865 | 865 |        // find other certificates with the same subject but different keys, and
 | 
| 866 | 866 |        // the certificate is self-signed.
 | 
| 867 | 867 |        if (StringEndsWith(hostname, ".onion"_ns)) {
 | 
| 868 | -        // Self signed cert over onion is deemed secure, the hidden service
 | |
| 869 | -        // provides authentication. We defer returning this error and keep
 | |
| 870 | -        // processing to determine if there are other legitimate certificate
 | |
| 871 | -        // errors (such as expired, wrong domain) that we would like to surface
 | |
| 872 | -        // to the user
 | |
| 873 | -        errOnionWithSelfSignedCert = true;
 | |
| 868 | +        // Self signed cert over onion is deemed secure in some cases, as the
 | |
| 869 | +        // onion service provides encryption.
 | |
| 870 | +        // Firefox treats some errors as self-signed certificates and it allows
 | |
| 871 | +        // to override them. For Onion services, we prefer being stricter, and
 | |
| 872 | +        // we return the original errors.
 | |
| 873 | +        // Moreover, we need also to determine if there are other legitimate
 | |
| 874 | +        // certificate errors (such as expired, wrong domain) that we would like
 | |
| 875 | +        // to surface to the user.
 | |
| 876 | +        errOnionWithSelfSignedCert = rv == Result::ERROR_UNKNOWN_ISSUER;
 | |
| 874 | 877 |        } else {
 | 
| 875 | 878 |          return Result::ERROR_SELF_SIGNED_CERT;
 | 
| 876 | 879 |        }
 |