Merge branch 'bugfix/handle-website-CA-change' into stable

c526408b · Tails developers · 3b214506 · ce5e5246 · c526408b · c526408b
Commit c526408b authored Jan 04, 2015 by Tails developers
3 changed files
--- a/config/chroot_local-hooks/58-create-upgrader-CA-bundle
+++ b/config/chroot_local-hooks/58-create-upgrader-CA-bundle
@@ -2,12 +2,11 @@

 set -e

-echo "Creating Tails Upgrader's CA bundle"
+echo "Creating CA bundle for authenticating https://tails.boum.org/"

-BUNDLE=/usr/local/etc/ssl/certs/tails-iuk.pem
+BUNDLE=/usr/local/etc/ssl/certs/tails.boum.org-CA.pem

 cat /etc/ssl/certs/AddTrust_External_Root.pem \
-    /etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem \
   > "$BUNDLE"

 chmod a+r "$BUNDLE"
--- a/config/chroot_local-includes/usr/local/bin/tails-security-check
+++ b/config/chroot_local-includes/usr/local/bin/tails-security-check
@@ -48,7 +48,7 @@ use Net::SSLeay;
 BEGIN {
    IO::Socket::SSL::set_ctx_defaults(
        verify_mode => Net::SSLeay->VERIFY_PEER(),
-        ca_file => '/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem',
+        ca_file => '/usr/local/etc/ssl/certs/tails.boum.org-CA.pem',
    );
 }
 use LWP::UserAgent; # needs to be *after* IO::Socket::SSL's initialization

--- a/config/chroot_local-patches/iuk-handle-website-CA-change.patch
+++ b/config/chroot_local-patches/iuk-handle-website-CA-change.patch
+--- a/usr/share/perl5/Tails/IUK.pm
+++ b/usr/share/perl5/Tails/IUK.pm
+@@ -255,6 +255,7 @@ method _build_squashfs_diff  {
+ 
+     run_as_root(
+         "rsync", "--archive", "--quiet", "--delete-after", "--acls",
+        "--checksum",
+         sprintf("%s/", dir($new_squashfs_mount)),
+         sprintf("%s/", dir($union)),
+     );
+--- a/usr/share/perl5/Tails/IUK/UpgradeDescriptionFile/Download.pm
+++ b/usr/share/perl5/Tails/IUK/UpgradeDescriptionFile/Download.pm
+@@ -105,7 +105,7 @@ method _build_curl_opts {
+     }
+     else {
+         my $cafile = $ENV{HTTPS_CA_FILE};
+-        $cafile  //= '/etc/ssl/certs/UTN_USERFirst_Hardware_Root_CA.pem';
+        $cafile  //= '/usr/local/etc/ssl/certs/tails.boum.org-CA.pem';
+         push @opts, CURLOPT_SSL_VERIFYHOST,  2;
+         push @opts, CURLOPT_SSL_VERIFYPEER,  1;
+         push @opts, CURLOPT_CAINFO,          $cafile;