[ooni-dev] Testing HTTPS URLs and certificate chain

David Fifield david at bamsoftware.com
Mon Jun 22 06:48:08 UTC 2015

It would be good to have ongoing tests for the domains we use as fronts
for anticensorship, e.g.:
I would love to have periodic checks that 1) each domain is accessible,
and 2) the certificate chain is what we expect, to find MITM attempts.

I suppose the existing nettests/blocking/http_requests.py can handle
simple HTTPS connectivity. Is it easy to add the URLs above to the
standard tests?

I'm less sure about how to get the certificate chain. I did some
searching and didn't find a way to get the certificate chain from the
twisted.web.client.Agent that templates/httpt.py uses (maybe you provide
it a twisted.internet.ssl.ContextFactory somehow?).
nettests/experimental/tls_handshake.py doesn't seem to be quite what I
want. What do you suggest?

More information about the ooni-dev mailing list