Ticket #35012

Open Date: 2015-03-25 14:32

Last Update: 2015-06-03 21:50

更新チェックの HTTPS 移行

Reporter:nishimotoOwner:(None)
Priority:5 - MediumMileStone:2015.2jp (closed)
Type:Support RequestSeverity:5 - Medium
Component:(None)Status:Closed
ResolutionRemind

Details

チケット #34796

更新チェックでハッシュ値のチェック処理

において、HTTPS 導入そのものを見送ったので、このチケットで HTTPS 導入を扱います。

役員会での意見交換の結果 startssl.com の無料プランを検討することになり、 とりあえず Web サーバー側への HTTPS の導入を行いました。

https://www.nvda.jp/

現状の内容は従来の HTTP のコンテンツと同一です。

Attachment File

Attachment File ListNo attachments
Add New attachment
Add attachment filesPlease login to add new attachment

Ticket History - 3/5 Histories [Show all old Histories]

2015-03-25 14:32 Updated by: nishimoto

  • New Ticket "更新チェックの HTTPS 移行" created

2015-05-04 20:09 Updated by: nishimoto

  • Resolution Update from None to Fixed

Comment

本件の作業

[jpbeta fe3f253] ti35012 use https for update check
 1 file changed, 1 insertion(+), 1 deletion(-)

サーバーは動いています:

curl -i "https://www.nvda.jp/updateCheck/"

2015-05-24 11:33 Updated by: nishimoto

Comment

電子署名をつけたバージョンを試作して、Windows 8.1 環境にインストール、 更新のチェックを実行すると、下記のようにエラーになった。

DEBUGWARNING - updateCheck.AutoUpdateChecker._bg (11:27:03):
Error checking for update
Traceback (most recent call last):
  File "updateCheck.pyo", line 116, in _bg
  File "updateCheck.pyo", line 81, in checkForUpdate
  File "urllib.pyo", line 87, in urlopen
  File "urllib.pyo", line 213, in open
  File "urllib.pyo", line 443, in open_https
  File "httplib.pyo", line 997, in endheaders
  File "httplib.pyo", line 850, in _send_output
  File "httplib.pyo", line 812, in send
  File "httplib.pyo", line 1216, in connect
  File "ssl.pyo", line 350, in wrap_socket
  File "ssl.pyo", line 566, in __init__
  File "ssl.pyo", line 788, in do_handshake
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

2015-05-24 11:43 Updated by: nishimoto

  • Resolution Update from Fixed to Remind

Comment

updateCheck.py で www.nvaccess.org からルート証明書を取り直す処理を修正する必要:

def _updateWindowsRootCertificates():
	crypt = ctypes.windll.crypt32
	# Get the server certificate.
	sslCont = ssl._create_unverified_context()
	u = urllib.urlopen("https://www.nvaccess.org/nvdaUpdateCheck", context=sslCont)
	cert = u.fp._sock.getpeercert(True)
	u.close()
	# Convert to a form usable by Windows.
	certCont = crypt.CertCreateCertificateContext(
		0x00000001, # X509_ASN_ENCODING
		cert,
		len(cert))
	# Ask Windows to build a certificate chain, thus triggering a root certificate update.
	chainCont = ctypes.c_void_p()
	crypt.CertGetCertificateChain(None, certCont, None, None,
		ctypes.byref(CERT_CHAIN_PARA(cbSize=ctypes.sizeof(CERT_CHAIN_PARA),
			RequestedUsage=CERT_USAGE_MATCH())),
		0, None,
		ctypes.byref(chainCont))
	crypt.CertFreeCertificateChain(chainCont)
	crypt.CertFreeCertificateContext(certCont)

2015-06-03 21:50 Updated by: nishimoto

  • Ticket Close date is changed to 2015-06-03 21:50
  • Status Update from Open to Closed

Add Comment/Update #35012 (更新チェックの HTTPS 移行)

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » Login