[ooni-dev] Blocked.org.uk & ooniprobe

[Daniel Ramsay]

On 28/08/15 16:58, Arturo Filastò wrote:

Thanks Arturo.  I'm reading through the code at the moment.

>> I did add some minimal support for HTTPS collector URLs in the patch
>> set.  It's still being worked on for upstream submission.  The HTTPS
>> support probably doesn't go as far as you'd like though.
>>
> 
> 
> Oh that’s great!
> 
> I would love to check out this code and provide some feedback on it.
> 
> 

I've been tidying up the pull request ready to resubmit soon!

>>> Still I would like to preserve the property of having URLs be self
>>> authenticating and designed a scheme to extend HTTPS URIs to support
>>> something similar to certificate pinning here:
>>> https://github.com/hellais/sslpin. That code is just a POC and is
>>> based on an old version of twisted when it was harder to do cert
>>> validation. I think supporting this in recent versions of twisted
>>> should be much easier.
>>>
>>
>> Newer versions of twisted and python will do certificate verification
>> using the operating system's certificate store, but as you point out,
>> that doesn't provide a way of ensuring that the only certificate that
>> can be used is from the official CA rather than any of the others.
>>
>> It may be possible to force a twisted agent to only use a bundled CA
>> certificate for verification, rather than relying on the system
>> installed CA list.  The python requests library supports this usage, but
>> I'm not sure about twisted.
> 
> Yeah I think a bit of hacks may be needed to implement this, though I think this requirement is quite important to be met. 
> 

Not too much hacking required - it was quite straightforward to use
twisted.internet.ssl.CertificateOptions to verify a server certificate
against a single provided CA cert (even a self-generated one).  Hostname
verification is still missing though.

I tested it with Twisted 13.2.0 (which is the version provided with
Ubuntu 14.04) and Python 2.7.6.

Daniel.