[ooni-dev] Blocked.org.uk & ooniprobe
daniel at dretzq.org.uk
Sat Aug 29 11:00:30 UTC 2015
On 28/08/15 16:58, Arturo Filastò wrote:
Thanks Arturo. I'm reading through the code at the moment.
>> I did add some minimal support for HTTPS collector URLs in the patch
>> set. It's still being worked on for upstream submission. The HTTPS
>> support probably doesn't go as far as you'd like though.
> Oh that’s great!
> I would love to check out this code and provide some feedback on it.
I've been tidying up the pull request ready to resubmit soon!
>>> Still I would like to preserve the property of having URLs be self
>>> authenticating and designed a scheme to extend HTTPS URIs to support
>>> something similar to certificate pinning here:
>>> https://github.com/hellais/sslpin. That code is just a POC and is
>>> based on an old version of twisted when it was harder to do cert
>>> validation. I think supporting this in recent versions of twisted
>>> should be much easier.
>> Newer versions of twisted and python will do certificate verification
>> using the operating system's certificate store, but as you point out,
>> that doesn't provide a way of ensuring that the only certificate that
>> can be used is from the official CA rather than any of the others.
>> It may be possible to force a twisted agent to only use a bundled CA
>> certificate for verification, rather than relying on the system
>> installed CA list. The python requests library supports this usage, but
>> I'm not sure about twisted.
> Yeah I think a bit of hacks may be needed to implement this, though I think this requirement is quite important to be met.
Not too much hacking required - it was quite straightforward to use
twisted.internet.ssl.CertificateOptions to verify a server certificate
against a single provided CA cert (even a self-generated one). Hostname
verification is still missing though.
I tested it with Twisted 13.2.0 (which is the version provided with
Ubuntu 14.04) and Python 2.7.6.
More information about the ooni-dev