[tor-commits] [flashproxy/master] Increase verify depth to 3.

dcf at torproject.org dcf at torproject.org
Wed Aug 28 04:06:14 UTC 2013


commit c281cad78c76c75d75837b99f08d01a0cd60ba4e
Author: David Fifield <david at bamsoftware.com>
Date:   Tue Aug 27 20:33:06 2013 -0700

    Increase verify depth to 3.
    
    Previously I saw only this length-2 chain:
    
    	$ openssl s_client -connect www.google.com:443 -verify 10 -CApath /etc/ssl/certs -showcerts
    	verify depth is 10
    	CONNECTED(00000003)
    	depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    	verify return:1
    	depth=1 C = US, O = Google Inc, CN = Google Internet Authority
    	verify return:1
    	depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
    	verify return:1
    	---
    	Certificate chain
    	 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    	   i:/C=US/O=Google Inc/CN=Google Internet Authority
    	-----BEGIN CERTIFICATE-----
    	MIIDgDCCAumgAwIBAgIKKMb2VQABAACUpDANBgkqhkiG9w0BAQUFADBGMQswCQYD
    	VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
    	dGVybmV0IEF1dGhvcml0eTAeFw0xMzA4MTQyMTQzMDBaFw0xMzEwMzEyMzU5NTla
    	MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
    	b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw53d3cu
    	Z29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7SaehIdZJwo1
    	r3jrzQI7T2ZmDp9X7E5wjp9gL8jVvzrfKNDnkJ7nq8Ta3GSFRLn4nBwVGZrhpOlM
    	AApPnfnCtLkZSmMC/Ei3jVpPNbBmazhsA0O+JzVf00P6L6v/9ZpCGDmu3i8Nq82j
    	3WDsgBlmlweBIyiDNtwPPZy3v3xM3NcCAwEAAaOCAVEwggFNMB0GA1UdJQQWMBQG
    	CCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUxktZox2pBmxYeF56u0Kw14NG
    	dkkwHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNrEiQwWwYDVR0fBFQwUjBQ
    	oE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhv
    	cml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmwwZgYIKwYBBQUHAQEEWjBY
    	MFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVy
    	bmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNydDAMBgNVHRMB
    	Af8EAjAAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBBQUA
    	A4GBAFvsz1rSadV2s+uvyBfIFnhNMdzV52gp7OmQSZvxqsHmAcgUSSWV0DylPbhb
    	mvjK7sNEgkU/wqXLmW55/JPnW75sBi9VCqOBSjIpes0XKL++xXQm0OCoTdaSq+l5
    	AJNRr1WAQCgvGAZXaznZzk06oKCOGhrstWnnU5hMafMWN4jm
    	-----END CERTIFICATE-----
    	 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
    	   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    	-----BEGIN CERTIFICATE-----
    	MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    	MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    	aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
    	WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
    	R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
    	gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
    	NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
    	qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
    	oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
    	6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
    	BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
    	Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
    	ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
    	ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
    	vZqhEFBfurZkX0eTANq98ZvVfpg=
    	-----END CERTIFICATE-----
    	---
    	Server certificate
    	subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    	issuer=/C=US/O=Google Inc/CN=Google Internet Authority
    
    Starting today I saw this chain from some but not all clients:
    
    	$ openssl s_client -connect www.google.com:443 -verify 10 -CApath /etc/ssl/certs -showcerts
    	verify depth is 10
    	CONNECTED(00000003)
    	depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    	verify return:1
    	depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    	verify return:1
    	depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
    	verify return:1
    	depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
    	verify return:1
    	---
    	Certificate chain
    	 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    	   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
    	-----BEGIN CERTIFICATE-----
    	MIIEdjCCA16gAwIBAgIIbp8HVLXaum0wDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
    	BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
    	cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMwODE0MjIwMjM1WhcNMTQwODE0MjIwMjM1
    	WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
    	TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
    	Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCe0oJ
    	bEOu0JXsO6eHcll+PnvUehRCzFWNoKMsE6Kyzef1GshzMRk5a3R00OemcT8l90xW
    	/A0lErE/yk8Fcb9HuIYEmHXqmmqMO+uekIpkrrH7Lp/w2fbjzouRFfrxJ8I8Y1Ip
    	EMa9c+XI8vPG2Kz+sxwqNIl7zjRXwhAvGa05N6JnxvCgv1YXhQZxnhSyj3Xl+irQ
    	LUHZVRcX8thKyvKxnVVsl0fK82kVhz1PYevzqwYGbPLxzCz6VlQmNXfjp7tvbNGB
    	70N8RaTeNpo4TI/az9pUPDzNVCz9d5IeGLfUI0hDWUMxKA43LmtVXsFfbcPjH1f0
    	qrXxJ970aPuHwUMxAgMBAAGjggFBMIIBPTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
    	KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
    	XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
    	MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
    	A1UdDgQWBBQNKKVES5UI2ZcSz+jt+PMcvbbxbDAMBgNVHRMBAf8EAjAAMB8GA1Ud
    	IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMBcGA1UdIAQQMA4wDAYKKwYBBAHW
    	eQIFATAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lB
    	RzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQBQrSXZo5JxfauejLcrMFEaUZOpEG5Z
    	mIcQz5kt3DyTb2u+gxMsxFpdxuJWHQfnLzegRIB9bzy2FtKBIqYUDrE0kEl7ZdYh
    	zcSx2pwIgM0VT/MZC3/5xj5hGtOgGboMvL1jPdC5GPEObJqelN91dCTmUPh0C492
    	1TsZ3RLSsj+z2u61u5dGzkNGhHQlpsPTl0HrKKdhRUTkYit+sQVA3t4Zlgch1OO8
    	1Y4yMP8gCurgMwNr/iaHZy/3ujhNVdSLfu9GQG/YvJzFI98spv2DkQhj6k46htlz
    	9mo2Ccs/eh19qmYzCHrnuWcBwFuDmibw9dg636+E3O9ULCaox2/dhb+l
    	-----END CERTIFICATE-----
    	 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
    	   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    	-----BEGIN CERTIFICATE-----
    	MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    	MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    	YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
    	EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
    	bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    	AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
    	VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
    	h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
    	ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
    	EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
    	DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
    	qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
    	VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
    	K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
    	KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
    	ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
    	BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
    	/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
    	zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
    	HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
    	WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
    	yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
    	-----END CERTIFICATE-----
    	 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    	   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    	-----BEGIN CERTIFICATE-----
    	MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    	MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    	aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
    	WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
    	AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    	CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
    	OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
    	T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
    	JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
    	Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
    	PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
    	aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
    	TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
    	LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
    	BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
    	dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
    	AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
    	NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
    	b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
    	-----END CERTIFICATE-----
    	---
    	Server certificate
    	subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
    	issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
 flashproxy-reg-appspot |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flashproxy-reg-appspot b/flashproxy-reg-appspot
index 2ca3467..21a402a 100755
--- a/flashproxy-reg-appspot
+++ b/flashproxy-reg-appspot
@@ -218,7 +218,7 @@ class PinHTTPSConnection(httplib.HTTPSConnection):
             self._tunnel()
 
         ctx = SSL.Context("tlsv1")
-        ctx.set_verify(SSL.verify_peer, 2)
+        ctx.set_verify(SSL.verify_peer, 3)
 
         ca_certs_fd, ca_certs_path = tempfile.mkstemp(prefix="flashproxy-reg-appspot-",
             dir=get_state_dir(), suffix=".crt")





More information about the tor-commits mailing list