Bug 41728: Pin bridges.torproject.org domains to Let's Encrypt's root cert public key (!625) · Merge requests · The Tor Project / Applications / Tor Browser

ma1 requested to merge ma1/tor-browser:bug_41728 into tor-browser-102.10.0esr-12.5-1 Apr 18, 2023

Merge Info

Related Issues
- #41728 (closed)
- etc
Backport Timeline
- Immediate - patchsets for critical bug fixes or other major blocker (e.g. fixes for a 0-day exploit) OR patchsets with trivial changes which do not need testing (e.g. fixes for typos or fixes easily verified in a local developer build)
- Next Minor Stable Release - patchset that needs to be verified in nightly before backport
- Eventually - patchset that needs to be verified in alpha before backport
- No Backport - patchset for the next major stable
Upstream Merging
- Merge to base-browser - typically for !fixups to patches in the base-browser branch, though sometimes new patches as well
  - NOTE: if your changeset includes patches to both base-browser and tor-browser please please make separate merge requests for each part
Issue Tracking
- Link resolved issues with appropriate Release Prep issue for changelog generation

Change Description

To verify it you should either obtain a certificate for bridges.torproject.org from an authority different than Let's Encrypt (not using the same root certificate) and MITM briges.torproject.org, getting the SSL error in the screenshot below.

Or, more easily, you can use the intermediate test commit 828666e1 I'm submitting first (which pins bridges.torproject.org to a different CA) and get the same error without MITMing the site.

Edited Apr 18, 2023 by ma1

Bug 41728: Pin bridges.torproject.org domains to Let's Encrypt's root cert public key

Merge Info

Related Issues

Backport Timeline

Upstream Merging

Issue Tracking

Change Description

Merge request reports