[tor-bugs] #13553 [RPM packaging]: CA pinning for the RPM repo
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Oct 23 22:34:10 UTC 2014
#13553: CA pinning for the RPM repo
---------------------------+------------------------
Reporter: cypherpunks | Owner: hiviah
Type: enhancement | Status: new
Priority: normal | Milestone:
Component: RPM packaging | Version:
Keywords: | Actual Points:
Parent ID: | Points:
---------------------------+------------------------
Since #12897 has been implemented RPM repo data is fetched using HTTPS.
To protect against SSL MITM attacks via compromized/rogue CAs I would
suggest to implement CA pinning.
YUM provides an easy way to implement this.
Simply add an additional line to your torproject.repo file [1]
{{{
sslcacert=/path/to/issuing-ca.pem
}}}
That pem file should be rpm-managed so you can easily update it in case
you switch CA.
[1] https://www.torproject.org/docs/rpms.html.en
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13553>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list