refactor: adapt to netem pinning certificates to hosts #1287
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As explained in ooni/netem#40, netem used to generate on the fly certificates for any host. I then discovered that this behavior is not desirable because the internet doesn't work like that. Specifically, TLS dialing to, say, www.example.com with www.google.com as the SNI must return a TLS error (`ssl_invalid_hostname` in OONI). This wrong behavior of netem has become a bottleneck for writing new tests for the beacons functionality, so it must change. I have already changed netem and this diff updates the probe-cli tree to use a netem version that behaves more correctly. While there, I noticed that sniblocking tests were wrong because of the previous netem behavior and asserted that the control should return a nil failure, while it should have been `ssl_invalid_hostname`. Part of ooni/probe#2531
Murphy-OrangeMud
pushed a commit
to Murphy-OrangeMud/probe-cli
that referenced
this pull request
Feb 13, 2024
As explained in ooni/netem#40, netem used to generate on the fly certificates for any host. I then discovered that this behavior is not desirable because the internet doesn't work like that. Specifically, TLS dialing to, say, www.example.com with www.google.com as the SNI must return a TLS error (`ssl_invalid_hostname` in OONI). This wrong behavior of netem has become a bottleneck for writing new tests for the beacons functionality, so it must change. I have already changed netem and this diff updates the probe-cli tree to use a netem version that behaves more correctly. While there, I noticed that sniblocking tests were wrong because of the previous netem behavior and asserted that the control should return a nil failure, while it should have been `ssl_invalid_hostname`. Part of ooni/probe#2531
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As explained in ooni/netem#40, netem used to generate on the fly certificates for any host.
I then discovered that this behavior is not desirable because the internet doesn't work like that. Specifically, TLS dialing to, say, www.example.com with www.google.com as the SNI must return a TLS error (
ssl_invalid_hostnamein OONI).This wrong behavior of netem has become a bottleneck for writing new tests for the beacons functionality, so it must change.
I have already changed netem and this diff updates the probe-cli tree to use a netem version that behaves more correctly.
While there, I noticed that sniblocking tests were wrong because of the previous netem behavior and asserted that the control should return a nil failure, while it should have been
ssl_invalid_hostname.Part of ooni/probe#2531