Automatically test that Tails Upgrader rejects valid certificates for the wrong hostname
Originally created by @intrigeri on #8434 (Redmine)
In
features/download_upgrade-description_file/Download_Upgrade-Description_File.feature
,
we test some invalid certificate cases, but we don’t test that a valid
certificate for a wrong hostname is rejected. We should.
Implementation-wise, we could:
- either get ourselves a valid certificate for a test-only hostname (both the public and private keys will be in our iuk Git repo); this requires the least amount of divergence between the code being tested and the code run in production;
- or use something like TLSPretense, that can generate various kinds of flawed certificates on the fly; it requires adding a CA used by TLSPretense to the list of those trusted by the client; it adds firewall rules to intercept the network traffic