[tor-commits] [tor-browser-build/maint-10.0-desktop] Bug 40175: Update obfs4proxy's TLS certificate public key pinning
gk at torproject.org
gk at torproject.org
Mon Dec 7 21:34:01 UTC 2020
commit f93f43c4501a7fd75b624928ab6b4435ba67a0df
Author: Matthew Finkel <sysrqb at torproject.org>
Date: Mon Dec 7 20:33:53 2020 +0000
Bug 40175: Update obfs4proxy's TLS certificate public key pinning
---
projects/obfs4/build | 1 +
projects/obfs4/config | 1 +
projects/obfs4/update_azure_hpkp.patch | 56 ++++++++++++++++++++++++++++++++++
3 files changed, 58 insertions(+)
diff --git a/projects/obfs4/build b/projects/obfs4/build
index 47c7228..4840edf 100644
--- a/projects/obfs4/build
+++ b/projects/obfs4/build
@@ -29,6 +29,7 @@ mkdir -p "$GOPATH/src/gitlab.com/yawning"
ln -sf "$PWD" "$GOPATH/src/gitlab.com/yawning/obfs4.git"
cd obfs4proxy
+patch -p1 < $rootdir/update_azure_hpkp.patch
go build -ldflags '-s'
cp -a obfs4proxy[% IF c("var/windows") %].exe[% END %] $PTDIR
diff --git a/projects/obfs4/config b/projects/obfs4/config
index 21bdab6..749ff43 100644
--- a/projects/obfs4/config
+++ b/projects/obfs4/config
@@ -39,3 +39,4 @@ input_files:
- name: '[% c("var/compiler") %]'
project: '[% c("var/compiler") %]'
enable: '[% c("var/android") %]'
+ - filename: update_azure_hpkp.patch
diff --git a/projects/obfs4/update_azure_hpkp.patch b/projects/obfs4/update_azure_hpkp.patch
new file mode 100644
index 0000000..a4324fc
--- /dev/null
+++ b/projects/obfs4/update_azure_hpkp.patch
@@ -0,0 +1,56 @@
+From 1115c2e2eaca1a96865ae47aead9838aab45787e Mon Sep 17 00:00:00 2001
+From: Philipp Winter <phw at nymity.ch>
+Date: Mon, 7 Dec 2020 10:23:44 -0800
+Subject: [PATCH] Update Azure's root CA certificate pins.
+
+Microsoft recently updated the root CA certificates that are served to
+Azure clients. See the following article for more details:
+https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes
+
+This change broke meek-lite because none of its pins work anymore. That
+means that Tor Browser users can no longer use meek-azure or moat as
+both rely on meek-lite.
+
+This patch fixes the problem by updating the certificate pins.
+---
+ transports/meeklite/hpkp_lite.go | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/transports/meeklite/hpkp_lite.go b/transports/meeklite/hpkp_lite.go
+index 0ff56f9..97ac590 100644
+--- a/transports/meeklite/hpkp_lite.go
++++ b/transports/meeklite/hpkp_lite.go
+@@ -103,19 +103,22 @@ func init() {
+ pins: make(map[string]*pinEntry),
+ }
+
+- // Pin all of Microsoft's CA intermediary certificates for the
+- // Tor Browser Azure bridge.
++ // Pin all of Microsoft Azure's root CA certificates for the Tor Browser
++ // Azure bridge.
+ //
+- // See: https://www.microsoft.com/pki/mscorp/cps/default.htm
++ // See: https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes
+ builtinPinDB.Add(
+ "ajax.aspnetcdn.com",
+ []string{
+- "CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=", // Microsoft IT SSL SHA2 - 2018-05-07 17:03:30
+- "xjXxgkOYlag7jCtR5DreZm9b61iaIhd+J3+b2LiybIw=", // Microsoft IT TLS CA 1 - 2024-05-20 12:51:28
+- "wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", // Microsoft IT TLS CA 2 - 2024-05-20 12:51:57
+- "wUY9EOTJmS7Aj4fDVCu/KeE++mV7FgIcbn4WhMz1I2k=", // Microsoft IT TLS CA 4 - 2024-05-20 12:52:38
+- "RCbqB+W8nwjznTeP4O6VjqcwdxIgI79eBpnBKRr32gc=", // Microsoft IT TLS CA 5 - 2024-05-20 12:53:03
++ "i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2 - 2038-01-15 12:00:00
++ "r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=", // DigiCert Global Root CA - 2031-11-10 00:00:00
++ "Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=", // Baltimore CyberTrust Root - 2025-05-12 23:59:00
++ "7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E=", // D-TRUST Root Class 3 CA 2 2009 - 2029-11-05 08:35:58
++ "svcpi1K/LDysTd/nLeTWgqxYlXWVmC8rYjAa9ZfGmcU=", // Microsoft RSA Root Certificate Authority 2017 - 2042-07-18 23:00:23
++ "NfU84SZGEeAzQP434ex9TMmGxWE9ynD9BKpEVF8tryg=", // Microsoft ECC Root Certificate Authority 2017 - 2042-07-18 23:16:04
+ },
+- time.Date(2024, time.May, 20, 00, 00, 00, 00, time.UTC),
++ // As of 2020-12-07, we're getting the "DigiCert Global Root CA"
++ // certificate, so our expiration time matches this certificate.
++ time.Date(2031, time.November, 20, 00, 00, 00, 00, time.UTC),
+ )
+ }
+--
+2.20.1
More information about the tor-commits
mailing list