Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CRLsets reintroduced #997

Merged
merged 2 commits into from
Dec 11, 2018
Merged

CRLsets reintroduced #997

merged 2 commits into from
Dec 11, 2018

Conversation

jumde
Copy link
Contributor

@jumde jumde commented Nov 30, 2018

fix brave/brave-browser#518
fix brave/brave-browser#2160

CRLSets was reverted, this PR contains these changes:

  1. Issue 518: Enabling CRLSets #652
  2. Issue 2160: Proxy requests for CRLSets through crlsets[n].brave.com #920
  3. Proxying requests for update.googleapis.com through componentupdater.brave.com
  4. Proxying requests for clients2.googleusercontent.com through crxdownload.brave.com

Submitter Checklist:

  • Submitted a ticket for my issue if one did not already exist.
  • Used Github auto-closing keywords in the commit message.
  • Added/updated tests for this change (for new code or code which already has tests).
  • Verified that these changes build without errors on
    • Windows
    • macOS
    • Linux
  • Verified that these changes pass automated tests (npm test brave_unit_tests && npm test brave_browser_tests) on
    • Windows
    • macOS
    • Linux
  • Ran git rebase master (if needed).
  • Ran git rebase -i to squash commits (if needed).
  • Tagged reviewers and labelled the pull request as needed.
  • Request a security/privacy review as needed.
  • Add appropriate QA labels (QA/Yes or QA/No) to include the closed issue in milestone

Test Plan:

  1. Start Little Snitch or Fiddler and Brave
  2. Wait for ~2 mins and verify that there are no connections to *.gvt1.com, dl.google.com and update.googleapis.com, clients2.googleusercontent.com
  3. Navigate to <data-dir>/CertificateRevocation/<dir> and check if crl-sets are populated.
  4. On linux, windows - verify if revoked.badssl.com shows a certificate error.
  5. Reviewers only - Checkout fix/network-audit-crlset and run npm run network-audit to verify the audit passes.

Reviewer Checklist:

  • New files have MPL-2.0 license header.
  • Request a security/privacy review as needed.
  • Adequate test coverage exists to prevent regressions
  • Verify test plan is specified in PR before merging to source

@jumde jumde self-assigned this Nov 30, 2018
@jumde
Copy link
Contributor Author

jumde commented Nov 30, 2018

@bbondy bbondy changed the title Crlset reintroduced WIP: Crlset reintroduced Dec 2, 2018
@jumde jumde force-pushed the crlset_reintroduced branch 3 times, most recently from 5bc353a to 3659b8c Compare December 4, 2018 00:59
@jumde jumde changed the title WIP: Crlset reintroduced CRLsets reintroduced Dec 4, 2018
1. Proxy requests for CRLSets through crlsets[n].brave.com
2. Proxy requests for update.googleapis.com through componentupdater.brave.com
3. Proxy requests for clients2.googleusercontent.com through crxdownload.brave.com
@jumde jumde force-pushed the crlset_reintroduced branch from 3659b8c to 987bf7b Compare December 4, 2018 01:32
@jumde
Copy link
Contributor Author

jumde commented Dec 7, 2018

Verified on Ubuntu, works as expected.

@jumde jumde merged commit 1a388e4 into master Dec 11, 2018
@jumde
Copy link
Contributor Author

jumde commented Dec 11, 2018

master - 1a388e4

@bbondy
Copy link
Member

bbondy commented Dec 15, 2018

Doh sorry in advance but have to revert this again.
Explanation for this here:
#1084 (comment)

Let's reland once we have the fix in brave/go-update.

@bbondy
Copy link
Member

bbondy commented Dec 15, 2018

Reverted here:
#1104

master: 14706a8
0.60.x: 1a1b03d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Proxy requests for CRLSets through crlsets[n].brave.com enable certificate revocation
4 participants