Ticket #35012

更新チェックの HTTPS 移行

Open Date: 2015-03-25 14:32 Last Update: 2015-06-03 21:50

Reporter: nishimoto Owner: (None)
Type: Support Request Status: Closed
Component: (None) MileStone: 2015.2jp (closed)
Priority: 5 - Medium Severity: 5 - Medium
Resolution: Remind

Details

チケット #34796

更新チェックでハッシュ値のチェック処理

において、HTTPS 導入そのものを見送ったので、このチケットで HTTPS 導入を扱います。

役員会での意見交換の結果 startssl.com の無料プランを検討することになり、 とりあえず Web サーバー側への HTTPS の導入を行いました。

https://www.nvda.jp/

現状の内容は従来の HTTP のコンテンツと同一です。

Attachment File List

No attachments

Ticket History (3/5 Histories)

2015-03-25 14:32 Updated by: nishimoto
  • New Ticket "更新チェックの HTTPS 移行" created
2015-05-04 20:09 Updated by: nishimoto
  • Resolution Update from None to Fixed
Comment

本件の作業

[jpbeta fe3f253] ti35012 use https for update check
 1 file changed, 1 insertion(+), 1 deletion(-)

サーバーは動いています:

curl -i "https://www.nvda.jp/updateCheck/"
2015-05-24 11:33 Updated by: nishimoto
Comment

電子署名をつけたバージョンを試作して、Windows 8.1 環境にインストール、 更新のチェックを実行すると、下記のようにエラーになった。

DEBUGWARNING - updateCheck.AutoUpdateChecker._bg (11:27:03):
Error checking for update
Traceback (most recent call last):
  File "updateCheck.pyo", line 116, in _bg
  File "updateCheck.pyo", line 81, in checkForUpdate
  File "urllib.pyo", line 87, in urlopen
  File "urllib.pyo", line 213, in open
  File "urllib.pyo", line 443, in open_https
  File "httplib.pyo", line 997, in endheaders
  File "httplib.pyo", line 850, in _send_output
  File "httplib.pyo", line 812, in send
  File "httplib.pyo", line 1216, in connect
  File "ssl.pyo", line 350, in wrap_socket
  File "ssl.pyo", line 566, in __init__
  File "ssl.pyo", line 788, in do_handshake
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
2015-05-24 11:43 Updated by: nishimoto
  • Resolution Update from Fixed to Remind
Comment

updateCheck.py で www.nvaccess.org からルート証明書を取り直す処理を修正する必要:

def _updateWindowsRootCertificates():
	crypt = ctypes.windll.crypt32
	# Get the server certificate.
	sslCont = ssl._create_unverified_context()
	u = urllib.urlopen("https://www.nvaccess.org/nvdaUpdateCheck", context=sslCont)
	cert = u.fp._sock.getpeercert(True)
	u.close()
	# Convert to a form usable by Windows.
	certCont = crypt.CertCreateCertificateContext(
		0x00000001, # X509_ASN_ENCODING
		cert,
		len(cert))
	# Ask Windows to build a certificate chain, thus triggering a root certificate update.
	chainCont = ctypes.c_void_p()
	crypt.CertGetCertificateChain(None, certCont, None, None,
		ctypes.byref(CERT_CHAIN_PARA(cbSize=ctypes.sizeof(CERT_CHAIN_PARA),
			RequestedUsage=CERT_USAGE_MATCH())),
		0, None,
		ctypes.byref(chainCont))
	crypt.CertFreeCertificateChain(chainCont)
	crypt.CertFreeCertificateContext(certCont)
2015-06-03 21:50 Updated by: nishimoto
  • Ticket Close date is changed to 2015-06-03 21:50
  • Status Update from Open to Closed

Edit

Please login to add comment to this ticket » Login