GitLab

Closes #18717 (closed), #18830 (closed)

• rewrite curl client so that it accepts certificates valid in the future, as per Mitigate attack by active network adversary on ... (#18830 - closed)

  • compile the Go client, aka https-get-expired
  • integrate https-get-expired in config/chroot_local-includes/usr/local/sbin/htpdate

• avoid races between Tor Connection and tails-get-network-time (done, please review)

  • make sure there is a timeout to tails-get-network-time
  • check that even if it fails, the connection to Tor must be attempted
  • review the new UI. In particular:
    • there is no indication to the user that "syncing our clock" failed
    • progress bar doesn't account for "syncing our clock"

• test again in Bullseye

Note for the reviewers:

• double-check, in debug.log, [check_tor_leaks]: they should match what you expect
• grep for Warning: these queries were allowed but not needed: . This should never happen.
• to allow for easy testing, I use httpbin.org in the test suite. Do we think this is a problem? I don't think so, because:
  • even if this is some form of lock-in, that application is free software, apparently well-packaged, so we could even run our own instance.
  • in terms of reliability... let's see how it fares!