[tor-bugs] #4271 [Torflow]: Perform some integrity checking in bw auth fetches
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Oct 22 05:55:14 UTC 2011
#4271: Perform some integrity checking in bw auth fetches
-----------------------+----------------------------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: new
Priority: normal | Milestone:
Component: Torflow | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Comment(by aagbsn):
Replying to [comment:1 aagbsn]:
> see this blog post that describes how to do certificate verification
with urllib2:
> http://thejosephturner.com/blog/2011/03/19/https-certificate-
verification-in-python-with-urllib2/
>
> and a work-in-progress:
>
https://gitweb.torproject.org/user/aagbsn/torflow.git/shortlog/refs/heads/4271
-integrity-checking
>
> note: it looks like the self-signed cert for 38.229.70.2 is not signed
by a CA; this can be managed pretty easily with easy-rsa (bundled with
openvpn).
You can also just add the certificate to the ca_cert file
("bwauthority_certs"). Should we make the filename a configuration option
in bwauthority.cfg? Should the certificate be in the repo? (I'd argue it's
not much worse than the hardcoded urls we presently have, but we probably
should have a better way to configure urls and certificates).
And someone should probably validate that the certificate I added is
actually the right one.
Also, all we do here is make noise when SSL verification fails. Should we
make a more significant effort to get attention?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4271#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list