[tor-bugs] #24138 [Applications/Tor Browser]: Older version of Tor Browser not updating
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 6 20:44:12 UTC 2017
#24138: Older version of Tor Browser not updating
--------------------------------------+-----------------------------------
Reporter: lizzard | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by gk):
Replying to [comment:4 mcs]:
> It may be difficult to fix this now. Opening Tor Browser 4.5.3, using
about:config to set `app.update.log = true`, and opening the Browser
Console reveals that the update URL used is:
>
https://www.torproject.org/dist/torbrowser/update_2/release/Darwin_x86_64-gcc3/4.5.3
/en-US?force=1
>
> An update check results in this error:
> Expected certificate attribute 'issuerName' value incorrect, expected:
'CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert
Inc,C=US', got: 'CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US'.
>
> This happens because 4.5.3 includes some built-in checks to ensure that
the browser is talking to the correct update server, but unfortunately we
have switched from a DigiCert issued certificate to one from Let's
Encrypt. I am not sure how to avoid this problem without running a server
that uses a certificate from the older CA... forever.
So, 2) is even worse than I assumed without checking, *sigh*. But there is
still 1). Could we do something about the false feedback in the About Tor
Browser menu?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24138#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list