Page MenuHomePhabricator
Create Task
Maniphest T81

direct SSL certificate pinning for check.torproject.org and torproject.org (wget local CA workaround)
Open, NormalPublic
Actions

Description

Since direct SSL certificate pinning for check.torproject.org and torproject.org (curl method) (T80) would have to wait a long time, until Debian stretch, this ticket is for an alternative approach.

Please make sure you've read T80 first.

wget has no feature for direct certificate pinning (feature request).

Eventual Workaround... Creating a own local certificate authority, add only the one certificate we want to use. Approach:

wget --ca-certificate <file>
openssl s_client -showcerts -connect www.torproject.org:443 >/tmp/x.cert </dev/null
openssl x509 -in cert.pem -noout -text -pubkey

Open question: How to sign a certificate if you have no access to the private key and CSR (certificate signing request)?

OpenSSL users mailing list: Sign public key without having CSR or private key?; might work - didn't test, not sure if it could work.

Related Objects

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer