On 28/08/15 16:58, Arturo Filastò wrote:
Thanks Arturo. I'm reading through the code at the moment.
I did add some minimal support for HTTPS collector URLs in the patch set. It's still being worked on for upstream submission. The HTTPS support probably doesn't go as far as you'd like though.
Oh that’s great!
I would love to check out this code and provide some feedback on it.
I've been tidying up the pull request ready to resubmit soon!
Still I would like to preserve the property of having URLs be self authenticating and designed a scheme to extend HTTPS URIs to support something similar to certificate pinning here: https://github.com/hellais/sslpin. That code is just a POC and is based on an old version of twisted when it was harder to do cert validation. I think supporting this in recent versions of twisted should be much easier.
Newer versions of twisted and python will do certificate verification using the operating system's certificate store, but as you point out, that doesn't provide a way of ensuring that the only certificate that can be used is from the official CA rather than any of the others.
It may be possible to force a twisted agent to only use a bundled CA certificate for verification, rather than relying on the system installed CA list. The python requests library supports this usage, but I'm not sure about twisted.
Yeah I think a bit of hacks may be needed to implement this, though I think this requirement is quite important to be met.
Not too much hacking required - it was quite straightforward to use twisted.internet.ssl.CertificateOptions to verify a server certificate against a single provided CA cert (even a self-generated one). Hostname verification is still missing though.
I tested it with Twisted 13.2.0 (which is the version provided with Ubuntu 14.04) and Python 2.7.6.
Daniel.