Information
ID: 82
PHID: PHID-TASK-mtmsmzv5ybfui3w5gpie
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal
Description
Since direct SSL certificate pinning for check.torproject.org and torproject.org (curl method) (T80) would have to wait a long time, until Debian stretch, this ticket is for an alternative approach.
Please make sure you’ve read T80 first.
TODO reserarch:
1.)
openssl s_client can be used to fetch a website:
Step 1.
openssl s_client -connect check.torproject.org:443
Step 2
GET / HTTP/1.1
host: check.torproject.org
How can step two be automated in a script?
2.)
Can openssl s_client be used to fetch (similar to wget, curl) using direct SSL certificate pinning?
Not to be confused with SSL Certificate Authority (CA) pinning (similar to curls --cacert or --capath option)!
Similar to curls --pinnedpubkey that was added in version 7.39.0 (changelog).
3.)
Alternatively… Can one pipe curl (or wget) through openssl s_client?
Comments
HulaHoop
2017-05-30 17:06:47 UTC
Patrick
2017-05-30 21:41:05 UTC
HulaHoop
2017-05-31 12:42:02 UTC