Automatically test that Tails Upgrader rejects valid certificates for the wrong hostname
we test some invalid certificate cases, but we don’t test that a valid
certificate for a wrong hostname is rejected. We should.
Implementation-wise, we could:
- either get ourselves a valid certificate for a test-only hostname (both the public and private keys will be in our iuk Git repo); this requires the least amount of divergence between the code being tested and the code run in production;
- or use something like TLSPretense, that can generate various kinds of flawed certificates on the fly; it requires adding a CA used by TLSPretense to the list of those trusted by the client; it adds firewall rules to intercept the network traffic