Information
ID: 81
PHID: PHID-TASK-4bwehywjhygtnz2beidw
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal
Description
Since direct SSL certificate pinning for check.torproject.org and torproject.org (curl method) (T80) would have to wait a long time, until Debian stretch, this ticket is for an alternative approach.
Please make sure you’ve read T80 first.
wget has no feature for direct certificate pinning (feature request).
Eventual Workaround… Creating a own local certificate authority, add only the one certificate we want to use. Approach:
wget --ca-certificate <file>
openssl s_client -showcerts -connect www.torproject.org:443 >/tmp/x.cert </dev/null
openssl x509 -in cert.pem -noout -text -pubkey
Open question: How to sign a certificate if you have no access to the private key and CSR (certificate signing request)?
OpenSSL users mailing list: Sign public key without having CSR or private key?; might work - didn’t test, not sure if it could work.