Changes between Initial Version and Version 1 of Ticket #12208, comment 1


Ignore:
Timestamp:
Jun 5, 2014, 3:01:13 AM (5 years ago)
Author:
dcf
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #12208, comment 1

    initial v1  
    1616The golang HTTPS library, when you connect to an IP address, sends a server_name extension whose value is the IP address as a string. When I tried the same thing in Firefox 29 just now, it simply leaves off the server_name extension.
    1717
    18 How [[GoAgent]] does it is it cooks up its own TLS connection using Python's ssl library, Python's ssl library doesn't do any verification, and then GoAgent itself does some nonstandard verification, not checking any certs but either [https://github.com/goagent/goagent/blob/4426c2523815cc0b17651eed9e52ca2a5e59844b/local/proxy.py#L1621 looking for an organizationName starting with "Google "] or [https://github.com/goagent/goagent/blob/4426c2523815cc0b17651eed9e52ca2a5e59844b/local/proxy.py#L1681 looking for ".google" or ".appspot.com" in the commonName]. It's essentially the same as InsecureSkipVerify.
     18How [[doc/GoAgent|GoAgent]] does it is it cooks up its own TLS connection using Python's ssl library, Python's ssl library doesn't do any verification, and then GoAgent itself does some nonstandard verification, not checking any certs but either [https://github.com/goagent/goagent/blob/4426c2523815cc0b17651eed9e52ca2a5e59844b/local/proxy.py#L1621 looking for an organizationName starting with "Google "] or [https://github.com/goagent/goagent/blob/4426c2523815cc0b17651eed9e52ca2a5e59844b/local/proxy.py#L1681 looking for ".google" or ".appspot.com" in the commonName]. It's essentially the same as InsecureSkipVerify.
    1919
    2020I don't know yet if there's a way to do what we want in the Firefox and Chrome helpers.