probe icon indicating copy to clipboard operation
probe copied to clipboard

Published 20 hours ago verified publisher icon ooni

www.jsf.mil: ssl_unknown_authority

Open bassosimone opened this issue 2 years ago • 2 comments

Measurements for http://www.jsf.mil/ fail with ssl_unknown_authority. As such, this issue is similar to https://github.com/ooni/probe/issues/2280 and https://github.com/ooni/probe/issues/1475.

This measurement includes the ssl_unknown_authority failure along with interesting DNS failures in the system resolver and the UDP resolver (which are the same resolver on my system because of Vodafone Rete Sicura).

Additionally, it's worth noting that http://www.jsf.mil/ is not working as intended and only https://www.jsf.mil/ can be browsed, as confirmed by the this measurement's control results. Therefore, it would be more correct to change the test lists URL.

H/T @Arky for spotting this issue!

bassosimone avatar Sep 30 '22 08:09 bassosimone

I think the issue is that certain intermediates certificates are not handled in the code. Perhaps using alternative packages should plug the gap. https://pkg.go.dev/filippo.io/intermediates

You can check the full list of Root certificates shipped by Firefox here: https://ccadb-public.secure.force.com/mozilla/PublicAllIntermediateCerts

arky avatar Sep 30 '22 10:09 arky

Browsers implement AIA fetching to handle missing intermediate certificates, full discussion here

arky avatar Sep 30 '22 12:09 arky

We can measure the website now using Web Connectivity v0.5.

bassosimone avatar Jan 25 '24 17:01 bassosimone

I think we're done here. I've also opened https://github.com/citizenlab/test-lists/pull/1623 to update the test lists.

bassosimone avatar Jan 25 '24 17:01 bassosimone

Thank you! @bassosimone I might need to retest this will new version at some point.

arky avatar Jan 26 '24 13:01 arky