[tbb-bugs] #24138 [Applications/Tor Browser]: Older version of Tor Browser not updating

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 6 20:34:34 UTC 2017


#24138: Older version of Tor Browser not updating
--------------------------------------+-----------------------------------
 Reporter:  lizzard                   |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------

Comment (by mcs):

 It may be difficult to fix this now. Opening Tor Browser 4.5.3, using
 about:config to set `app.update.log = true`, and opening the Browser
 Console reveals that the update URL used is:
 https://www.torproject.org/dist/torbrowser/update_2/release/Darwin_x86_64-gcc3/4.5.3
 /en-US?force=1

 An update check results in this error:
 Expected certificate attribute 'issuerName' value incorrect, expected:
 'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert
 Inc,C=US', got: 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US'.

 This happens because 4.5.3 includes some built-in checks to ensure that
 the browser is talking to the correct update server, but unfortunately we
 have switched from a DigiCert issued certificate to one from Let's
 Encrypt. I am not sure how to avoid this problem without running a server
 that uses a certificate from the older CA... forever.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24138#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list