diff --git a/UPSTREAM b/UPSTREAM index b4c2f84b..5467d18e 100644 --- a/UPSTREAM +++ b/UPSTREAM @@ -1 +1 @@ -v3.17.0-alpha.1-68-ge8feee59 +v3.17.0-alpha.1-75-g9626fffd diff --git a/go.mod b/go.mod index c4401a98..95e6b70b 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/ooni/netem v0.0.0-20230316075930-83d9720a67f9 github.com/ooni/oocrypto v0.5.1 github.com/ooni/oohttp v0.6.1 - github.com/ooni/probe-assets v0.15.0 + github.com/ooni/probe-assets v0.16.0 github.com/pborman/getopt/v2 v2.1.0 github.com/pion/stun v0.3.5 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index ba14458a..1a5d2654 100644 --- a/go.sum +++ b/go.sum @@ -612,8 +612,8 @@ github.com/ooni/oocrypto v0.5.1 h1:7LD07H2LA7mAQIVhZ1k6eHlRxN7ux/mHhoFdBUgWFSQ= github.com/ooni/oocrypto v0.5.1/go.mod h1:lqrqVa4E9D0tCMmprzbwuokAIvX949HAlUs5crZne3c= github.com/ooni/oohttp v0.6.1 h1:lftBsmunh6pzAReLyaSwdez10cJtYRlpC2fa0062HJQ= github.com/ooni/oohttp v0.6.1/go.mod h1:/7fPgmXNkMSXBpLOdARkhyn3vsNAtmZ0C3G5C/KLd6Q= -github.com/ooni/probe-assets v0.15.0 h1:VFOnVO4rypeI6Qfn25Uck1YhAlu3BJQqC9Vrp8nL8C0= -github.com/ooni/probe-assets v0.15.0/go.mod h1:+otUATjJ8T7NsTKhmkXAKLW9oy0NhbcggXhlKzZHqVI= +github.com/ooni/probe-assets v0.16.0 h1:X2Zb73KEMmzPM36qMIRDukdGEL/KuUY5OQgBcJHxJ6g= +github.com/ooni/probe-assets v0.16.0/go.mod h1:+otUATjJ8T7NsTKhmkXAKLW9oy0NhbcggXhlKzZHqVI= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= github.com/opentracing-contrib/go-observer v0.0.0-20170622124052-a52f23424492/go.mod h1:Ngi6UdF0k5OKD5t5wlmGhe/EDKPoUM3BXZSSfIuJbis= github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74= diff --git a/pkg/cmd/buildtool/android_test.go b/pkg/cmd/buildtool/android_test.go index 66c23375..e0f306f2 100644 --- a/pkg/cmd/buildtool/android_test.go +++ b/pkg/cmd/buildtool/android_test.go @@ -702,12 +702,12 @@ func TestAndroidBuildCdepsOpenSSL(t *testing.T) { expect: []buildtooltest.ExecExpectations{{ Env: []string{}, Argv: []string{ - "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1t.tar.gz", + "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, Argv: []string{ - "tar", "-xf", "openssl-1.1.1t.tar.gz", + "tar", "-xf", "openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, @@ -763,12 +763,12 @@ func TestAndroidBuildCdepsOpenSSL(t *testing.T) { }, { Env: []string{}, Argv: []string{ - "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1t.tar.gz", + "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, Argv: []string{ - "tar", "-xf", "openssl-1.1.1t.tar.gz", + "tar", "-xf", "openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, @@ -824,12 +824,12 @@ func TestAndroidBuildCdepsOpenSSL(t *testing.T) { }, { Env: []string{}, Argv: []string{ - "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1t.tar.gz", + "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, Argv: []string{ - "tar", "-xf", "openssl-1.1.1t.tar.gz", + "tar", "-xf", "openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, @@ -885,12 +885,12 @@ func TestAndroidBuildCdepsOpenSSL(t *testing.T) { }, { Env: []string{}, Argv: []string{ - "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1t.tar.gz", + "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, Argv: []string{ - "tar", "-xf", "openssl-1.1.1t.tar.gz", + "tar", "-xf", "openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, diff --git a/pkg/cmd/buildtool/cdepsopenssl.go b/pkg/cmd/buildtool/cdepsopenssl.go index 912eda34..b64b1fa3 100644 --- a/pkg/cmd/buildtool/cdepsopenssl.go +++ b/pkg/cmd/buildtool/cdepsopenssl.go @@ -27,13 +27,13 @@ func cdepsOpenSSLBuildMain(globalEnv *cBuildEnv, deps buildtoolmodel.Dependencie defer restore() // See https://github.com/Homebrew/homebrew-core/blob/master/Formula/openssl@1.1.rb - cdepsMustFetch("https://www.openssl.org/source/openssl-1.1.1t.tar.gz") + cdepsMustFetch("https://www.openssl.org/source/openssl-1.1.1u.tar.gz") deps.VerifySHA256( // must be mockable - "8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b", - "openssl-1.1.1t.tar.gz", + "e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6", + "openssl-1.1.1u.tar.gz", ) - must.Run(log.Log, "tar", "-xf", "openssl-1.1.1t.tar.gz") - _ = deps.MustChdir("openssl-1.1.1t") // must be mockable + must.Run(log.Log, "tar", "-xf", "openssl-1.1.1u.tar.gz") + _ = deps.MustChdir("openssl-1.1.1u") // must be mockable mydir := filepath.Join(topdir, "CDEPS", "openssl") for _, patch := range cdepsMustListPatches(mydir) { @@ -47,12 +47,12 @@ func cdepsOpenSSLBuildMain(globalEnv *cBuildEnv, deps buildtoolmodel.Dependencie mergedEnv := cBuildMerge(globalEnv, localEnv) envp := cBuildExportOpenSSL(mergedEnv) - // QUIRK: OpenSSL-1.1.1t wants ANDROID_NDK_HOME + // QUIRK: OpenSSL-1.1.1u wants ANDROID_NDK_HOME if mergedEnv.ANDROID_NDK_ROOT != "" { envp.Append("ANDROID_NDK_HOME", mergedEnv.ANDROID_NDK_ROOT) } - // QUIRK: OpenSSL-1.1.1t wants the PATH to contain the + // QUIRK: OpenSSL-1.1.1u wants the PATH to contain the // directory where the Android compiler lives. if mergedEnv.BINPATH != "" { envp.Append("PATH", cdepsPrependToPath(mergedEnv.BINPATH)) diff --git a/pkg/cmd/buildtool/linuxcdeps_test.go b/pkg/cmd/buildtool/linuxcdeps_test.go index c37027d2..89a1acf8 100644 --- a/pkg/cmd/buildtool/linuxcdeps_test.go +++ b/pkg/cmd/buildtool/linuxcdeps_test.go @@ -92,12 +92,12 @@ func TestLinuxCdepsBuildMain(t *testing.T) { expect: []buildtooltest.ExecExpectations{{ Env: []string{}, Argv: []string{ - "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1t.tar.gz", + "curl", "-fsSLO", "https://www.openssl.org/source/openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, Argv: []string{ - "tar", "-xf", "openssl-1.1.1t.tar.gz", + "tar", "-xf", "openssl-1.1.1u.tar.gz", }, }, { Env: []string{}, diff --git a/pkg/experiment/echcheck/handshake.go b/pkg/experiment/echcheck/handshake.go index def79c65..279f364f 100644 --- a/pkg/experiment/echcheck/handshake.go +++ b/pkg/experiment/echcheck/handshake.go @@ -50,7 +50,7 @@ func handshakeWithExtension(ctx context.Context, conn net.Conn, zeroTime time.Ti // We are creating the pool just once because there is a performance penalty // when creating it every time. See https://github.com/ooni/probe/issues/2413. -var certpool = netxlite.NewDefaultCertPool() +var certpool = netxlite.NewMozillaCertPool() // genTLSConfig generates tls.Config from a given SNI func genTLSConfig(sni string) *tls.Config { diff --git a/pkg/experiment/ndt7/dial.go b/pkg/experiment/ndt7/dial.go index 2a06c965..b8144458 100644 --- a/pkg/experiment/ndt7/dial.go +++ b/pkg/experiment/ndt7/dial.go @@ -29,12 +29,6 @@ func newDialManager(ndt7URL string, logger model.Logger, userAgent string) dialM } } -// We force using our bundled CA pool, which should fix -// https://github.com/ooni/probe/issues/2031. We are creating -// the pool just once because there is a performance penalty -// when creating it every time. See https://github.com/ooni/probe/issues/2413. -var certpool = netxlite.NewDefaultCertPool() - func (mgr dialManager) dialWithTestName(ctx context.Context, testName string) (*websocket.Conn, error) { reso := netxlite.NewStdlibResolver(mgr.logger) dlr := netxlite.NewDialerWithResolver(mgr.logger, reso) @@ -42,8 +36,11 @@ func (mgr dialManager) dialWithTestName(ctx context.Context, testName string) (* // Implements shaping if the user builds using `-tags shaping` // See https://github.com/ooni/probe/issues/2112 dlr = netxlite.NewMaybeShapingDialer(dlr) + // See https://github.com/ooni/probe/issues/2413 to understand + // why we're using nil to force netxlite to use the cached + // default Mozilla cert pool. tlsConfig := &tls.Config{ - RootCAs: certpool, + RootCAs: nil, } dialer := websocket.Dialer{ NetDialContext: dlr.DialContext, diff --git a/pkg/experiment/riseupvpn/riseupvpn.go b/pkg/experiment/riseupvpn/riseupvpn.go index 8f15ff8b..bdf045cc 100644 --- a/pkg/experiment/riseupvpn/riseupvpn.go +++ b/pkg/experiment/riseupvpn/riseupvpn.go @@ -186,7 +186,7 @@ func (m Measurer) Run(ctx context.Context, args *model.ExperimentArgs) error { measurement.TestKeys = testkeys urlgetter.RegisterExtensions(measurement) - certPool := netxlite.NewDefaultCertPool() + certPool := netxlite.NewMozillaCertPool() // used multiple times below multi := urlgetter.Multi{ diff --git a/pkg/experiment/signal/signal.go b/pkg/experiment/signal/signal.go index 12f80e7d..29ec3257 100644 --- a/pkg/experiment/signal/signal.go +++ b/pkg/experiment/signal/signal.go @@ -15,7 +15,7 @@ import ( const ( testName = "signal" - testVersion = "0.2.2" + testVersion = "0.2.3" signalCA = `-----BEGIN CERTIFICATE----- MIID7zCCAtegAwIBAgIJAIm6LatK5PNiMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYD @@ -149,7 +149,7 @@ func (m Measurer) Run(ctx context.Context, args *model.ExperimentArgs) error { defer cancel() urlgetter.RegisterExtensions(measurement) - certPool := netxlite.NewDefaultCertPool() + certPool := netxlite.NewMozillaCertPool() signalCAByteSlice := [][]byte{ []byte(signalCA), []byte(signalCANew), diff --git a/pkg/experiment/signal/signal_test.go b/pkg/experiment/signal/signal_test.go index bac6245b..0af8a433 100644 --- a/pkg/experiment/signal/signal_test.go +++ b/pkg/experiment/signal/signal_test.go @@ -17,7 +17,7 @@ func TestNewExperimentMeasurer(t *testing.T) { if measurer.ExperimentName() != "signal" { t.Fatal("unexpected name") } - if measurer.ExperimentVersion() != "0.2.2" { + if measurer.ExperimentVersion() != "0.2.3" { t.Fatal("unexpected version") } } diff --git a/pkg/netxlite/certifi.go b/pkg/netxlite/certifi.go index beb0105e..3b5c7c08 100644 --- a/pkg/netxlite/certifi.go +++ b/pkg/netxlite/certifi.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// 2023-01-05 13:49:12.079921 +0100 CET m=+0.354000293 +// 2023-05-31 11:09:58.566952 +0200 CEST m=+0.556580876 // https://curl.haxx.se/ca/cacert.pem package netxlite @@ -10,7 +10,7 @@ const pemcerts string = ` ## ## Bundle of CA Root Certificates ## -## Certificate data from Mozilla as of: Tue Oct 11 03:12:05 2022 GMT +## Certificate data from Mozilla as of: Tue May 30 03:12:04 2023 GMT ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates @@ -23,7 +23,7 @@ const pemcerts string = ` ## Just configure this file as the SSLCACertificateFile. ## ## Conversion done with mk-ca-bundle.pl version 1.29. -## SHA256: 3ff8bd209b5f2e739b9f2b96eacb694a774114685b02978257824f37ff528f71 +## SHA256: c47475103fb05bb562bbadff0d1e72346b03236154e1448a6ca191b740f83507 ## @@ -498,29 +498,6 @@ IGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5ddBA6+C4OmF4O5MBKgxTMVBbkN +8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IBZQ== -----END CERTIFICATE----- -Network Solutions Certificate Authority -======================================= ------BEGIN CERTIFICATE----- -MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQG -EwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3Jr -IFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMx -MjM1OTU5WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu -MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwzc7MEL7xx -jOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPPOCwGJgl6cvf6UDL4wpPT -aaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rlmGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXT -crA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc -/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMB -AAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIBBjAP -BgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwubmV0c29sc3NsLmNv -bS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUA -A4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc86fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q -4LqILPxFzBiwmZVRDuwduIj/h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/ -GGUsyfJj4akH/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv -wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxD -ydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey ------END CERTIFICATE----- - COMODO ECC Certification Authority ================================== -----BEGIN CERTIFICATE----- @@ -635,26 +612,6 @@ NwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQu dZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= -----END CERTIFICATE----- -Hongkong Post Root CA 1 -======================= ------BEGIN CERTIFICATE----- -MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoT -DUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUx -NTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25n -IFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1 -ApzQjVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqr -auh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqh -qZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMY -V18meMjWCnl3v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNV -HRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7i -h9legYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio -l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5Lmei -IAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZvRZ+K88ps -T/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilT -c4afU9hDDl3WY4JxHYB0yvbiAmvZWg== ------END CERTIFICATE----- - SecureSign RootCA11 =================== -----BEGIN CERTIFICATE----- @@ -1293,40 +1250,6 @@ Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVxSK236thZiNSQvxaz2ems WWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY= -----END CERTIFICATE----- -E-Tugra Certification Authority -=============================== ------BEGIN CERTIFICATE----- -MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNVBAYTAlRSMQ8w -DQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamls -ZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN -ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMw -NTEyMDk0OFoXDTIzMDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmEx -QDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxl -cmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQD -DB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A -MIICCgKCAgEA4vU/kwVRHoViVF56C/UYB4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vd -hQd2h8y/L5VMzH2nPbxHD5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5K -CKpbknSFQ9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEoq1+g -ElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3Dk14opz8n8Y4e0ypQ -BaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcHfC425lAcP9tDJMW/hkd5s3kc91r0 -E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsutdEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gz -rt48Ue7LE3wBf4QOXVGUnhMMti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAq -jqFGOjGY5RH8zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn -rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUXU8u3Zg5mTPj5 -dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6Jyr+zE7S6E5UMA8GA1UdEwEB -/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEG -MA0GCSqGSIb3DQEBCwUAA4ICAQAFNzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAK -kEh47U6YA5n+KGCRHTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jO -XKqYGwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c77NCR807 -VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3+GbHeJAAFS6LrVE1Uweo -a2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WKvJUawSg5TB9D0pH0clmKuVb8P7Sd2nCc -dlqMQ1DujjByTd//SffGqWfZbawCEeI6FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEV -KV0jq9BgoRJP3vQXzTLlyb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gT -Dx4JnW2PAJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpDy4Q0 -8ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8dNL/+I5c30jn6PQ0G -C7TbO6Orb1wdtn7os4I07QZcJA== ------END CERTIFICATE----- - T-TeleSec GlobalRoot Class 2 ============================ -----BEGIN CERTIFICATE----- @@ -1663,36 +1586,6 @@ uglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7 yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3 -----END CERTIFICATE----- -Staat der Nederlanden EV Root CA -================================ ------BEGIN CERTIFICATE----- -MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJOTDEeMBwGA1UE -CgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -RVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0yMjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5M -MR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRl -cmxhbmRlbiBFViBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkk -SzrSM4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nCUiY4iKTW -O0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3dZ//BYY1jTw+bbRcwJu+r -0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46prfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8 -Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13lpJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gV -XJrm0w912fxBmJc+qiXbj5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr -08C+eKxCKFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS/ZbV -0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0XcgOPvZuM5l5Tnrmd -74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH1vI4gnPah1vlPNOePqc7nvQDs/nx -fRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrPpx9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwa -ivsnuL8wbqg7MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI -eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u2dfOWBfoqSmu -c0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHSv4ilf0X8rLiltTMMgsT7B/Zq -5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTCwPTxGfARKbalGAKb12NMcIxHowNDXLldRqAN -b/9Zjr7dn3LDWyvfjFvO5QxGbJKyCqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tN -f1zuacpzEPuKqf2evTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi -5Dp6Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIaGl6I6lD4 -WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeLeG9QgkRQP2YGiqtDhFZK -DyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGy -eUN51q1veieQA6TqJIc/2b3Z6fJfUEkc7uzXLg== ------END CERTIFICATE----- - IdenTrust Commercial Root CA 1 ============================== -----BEGIN CERTIFICATE----- @@ -2144,87 +2037,6 @@ F8Io2c9Si1vIY9RCPqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV09tL7ECQ aaApJUqlyyvdimYHFngVV3Eb7PVHhPOeMTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== -----END CERTIFICATE----- -TrustCor RootCert CA-1 -====================== ------BEGIN CERTIFICATE----- -MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYDVQQGEwJQQTEP -MA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3Ig -U3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkx -MjMxMTcyMzE2WjCBpDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFu -YW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUGA1UECwwe -VHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZUcnVzdENvciBSb290Q2Vy -dCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv463leLCJhJrMxnHQFgKq1mq -jQCj/IDHUHuO1CAmujIS2CNUSSUQIpidRtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4 -pQa81QBeCQryJ3pS/C3Vseq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0 -JEsq1pme9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CVEY4h -gLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorWhnAbJN7+KIor0Gqw -/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/DeOxCbeKyKsZn3MzUOcwHwYDVR0j -BBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AYYwDQYJKoZIhvcNAQELBQADggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5 -mDo4Nvu7Zp5I/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf -ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZyonnMlo2HD6C -qFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djtsL1Ac59v2Z3kf9YKVmgenFK+P -3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdNzl/HHk484IkzlQsPpTLWPFp5LBk= ------END CERTIFICATE----- - -TrustCor RootCert CA-2 -====================== ------BEGIN CERTIFICATE----- -MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBBMQ8w -DQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBT -eXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0 -eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEy -MzExNzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5h -bWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U -cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0 -IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnIG7CKqJiJJWQdsg4foDSq8Gb -ZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9Nk -RvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1 -oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nKDOOb -XUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hapeaz6LMvYHL1cEksr1 -/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF3wP+TfSvPd9cW436cOGlfifHhi5q -jxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQP -eSghYA2FFn3XVDjxklb9tTNMg9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+Ctg -rKAmrhQhJ8Z3mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh -8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU -2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYD -VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/h -Osh80QA9z+LqBrWyOrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnp -kpfbsEZC89NiqpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv -2wnL/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RXCI/hOWB3 -S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYaZH9bDTMJBzN7Bj8RpFxw -PIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dv -DDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYU -RpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANE -xdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp5KeX -RKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu1uwJ ------END CERTIFICATE----- - -TrustCor ECA-1 -============== ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYDVQQGEwJQQTEP -MA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3Ig -U3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxFzAVBgNVBAMMDlRydXN0Q29yIEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3Mjgw -N1owgZwxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5 -MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29y -IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3IgRUNBLTEwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb3w9U73NjKYKtR8aja+3+XzP4Q1HpGjOR -MRegdMTUpwHmspI+ap3tDvl0mEDTPwOABoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23 -xFUfJ3zSCNV2HykVh0A53ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmc -p0yJF4OuowReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/wZ0+ -fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZFZtS6mFjBAgMBAAGj -YzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAfBgNVHSMEGDAWgBREnkj1zG1I1KBL -f/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF -AAOCAQEABT41XBVwm8nHc2FvcivUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u -/ukZMjgDfxT2AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F -hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50soIipX1TH0Xs -J5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BIWJZpTdwHjFGTot+fDz2LYLSC -jaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1WitJ/X5g== ------END CERTIFICATE----- - SSL.com Root Certification Authority RSA ======================================== -----BEGIN CERTIFICATE----- @@ -3514,4 +3326,49 @@ snNdo4gIxwwCMQDAqy0Obe0YottT6SXbVQjgUMzfRGEWgqtJsLKB7HOHeLRMsmIbEvoWTSVLY70e N9k= -----END CERTIFICATE----- +BJCA Global Root CA1 +==================== +-----BEGIN CERTIFICATE----- +MIIFdDCCA1ygAwIBAgIQVW9l47TZkGobCdFsPsBsIDANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQG +EwJDTjEmMCQGA1UECgwdQkVJSklORyBDRVJUSUZJQ0FURSBBVVRIT1JJVFkxHTAbBgNVBAMMFEJK +Q0EgR2xvYmFsIFJvb3QgQ0ExMB4XDTE5MTIxOTAzMTYxN1oXDTQ0MTIxMjAzMTYxN1owVDELMAkG +A1UEBhMCQ04xJjAkBgNVBAoMHUJFSUpJTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZMR0wGwYDVQQD +DBRCSkNBIEdsb2JhbCBSb290IENBMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPFm +CL3ZxRVhy4QEQaVpN3cdwbB7+sN3SJATcmTRuHyQNZ0YeYjjlwE8R4HyDqKYDZ4/N+AZspDyRhyS +sTphzvq3Rp4Dhtczbu33RYx2N95ulpH3134rhxfVizXuhJFyV9xgw8O558dnJCNPYwpj9mZ9S1Wn +P3hkSWkSl+BMDdMJoDIwOvqfwPKcxRIqLhy1BDPapDgRat7GGPZHOiJBhyL8xIkoVNiMpTAK+BcW +yqw3/XmnkRd4OJmtWO2y3syJfQOcs4ll5+M7sSKGjwZteAf9kRJ/sGsciQ35uMt0WwfCyPQ10WRj +eulumijWML3mG90Vr4TqnMfK9Q7q8l0ph49pczm+LiRvRSGsxdRpJQaDrXpIhRMsDQa4bHlW/KNn +MoH1V6XKV0Jp6VwkYe/iMBhORJhVb3rCk9gZtt58R4oRTklH2yiUAguUSiz5EtBP6DF+bHq/pj+b +OT0CFqMYs2esWz8sgytnOYFcuX6U1WTdno9uruh8W7TXakdI136z1C2OVnZOz2nxbkRs1CTqjSSh +GL+9V/6pmTW12xB3uD1IutbB5/EjPtffhZ0nPNRAvQoMvfXnjSXWgXSHRtQpdaJCbPdzied9v3pK +H9MiyRVVz99vfFXQpIsHETdfg6YmV6YBW37+WGgHqel62bno/1Afq8K0wM7o6v0PvY1NuLxxAgMB +AAGjQjBAMB0GA1UdDgQWBBTF7+3M2I0hxkjk49cULqcWk+WYATAPBgNVHRMBAf8EBTADAQH/MA4G +A1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAUoKsITQfI/Ki2Pm4rzc2IInRNwPWaZ+4 +YRC6ojGYWUfo0Q0lHhVBDOAqVdVXUsv45Mdpox1NcQJeXyFFYEhcCY5JEMEE3KliawLwQ8hOnThJ +dMkycFRtwUf8jrQ2ntScvd0g1lPJGKm1Vrl2i5VnZu69mP6u775u+2D2/VnGKhs/I0qUJDAnyIm8 +60Qkmss9vk/Ves6OF8tiwdneHg56/0OGNFK8YT88X7vZdrRTvJez/opMEi4r89fO4aL/3Xtw+zuh +TaRjAv04l5U/BXCga99igUOLtFkNSoxUnMW7gZ/NfaXvCyUeOiDbHPwfmGcCCtRzRBPbUYQaVQNW +4AB+dAb/OMRyHdOoP2gxXdMJxy6MW2Pg6Nwe0uxhHvLe5e/2mXZgLR6UcnHGCyoyx5JO1UbXHfmp +GQrI+pXObSOYqgs4rZpWDW+N8TEAiMEXnM0ZNjX+VVOg4DwzX5Ze4jLp3zO7Bkqp2IRzznfSxqxx +4VyjHQy7Ct9f4qNx2No3WqB4K/TUfet27fJhcKVlmtOJNBir+3I+17Q9eVzYH6Eze9mCUAyTF6ps +3MKCuwJXNq+YJyo5UOGwifUll35HaBC07HPKs5fRJNz2YqAo07WjuGS3iGJCz51TzZm+ZGiPTx4S +SPfSKcOYKMryMguTjClPPGAyzQWWYezyr/6zcCwupvI= +-----END CERTIFICATE----- + +BJCA Global Root CA2 +==================== +-----BEGIN CERTIFICATE----- +MIICJTCCAaugAwIBAgIQLBcIfWQqwP6FGFkGz7RK6zAKBggqhkjOPQQDAzBUMQswCQYDVQQGEwJD +TjEmMCQGA1UECgwdQkVJSklORyBDRVJUSUZJQ0FURSBBVVRIT1JJVFkxHTAbBgNVBAMMFEJKQ0Eg +R2xvYmFsIFJvb3QgQ0EyMB4XDTE5MTIxOTAzMTgyMVoXDTQ0MTIxMjAzMTgyMVowVDELMAkGA1UE +BhMCQ04xJjAkBgNVBAoMHUJFSUpJTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZMR0wGwYDVQQDDBRC +SkNBIEdsb2JhbCBSb290IENBMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABJ3LgJGNU2e1uVCxA/jl +SR9BIgmwUVJY1is0j8USRhTFiy8shP8sbqjV8QnjAyEUxEM9fMEsxEtqSs3ph+B99iK++kpRuDCK +/eHeGBIK9ke35xe/J4rUQUyWPGCWwf0VHKNCMEAwHQYDVR0OBBYEFNJKsVF/BvDRgh9Obl+rg/xI +1LCRMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMBq8 +W9f+qdJUDkpd0m2xQNz0Q9XSSpkZElaA94M04TVOSG0ED1cxMDAtsaqdAzjbBgIxAMvMh1PLet8g +UXOQwKhbYdDFUDn9hf7B43j4ptZLvZuHjw/l1lOWqzzIQNph91Oj9w== +-----END CERTIFICATE----- + ` diff --git a/pkg/netxlite/errno.go b/pkg/netxlite/errno.go index a7e69d21..eb9db4cd 100644 --- a/pkg/netxlite/errno.go +++ b/pkg/netxlite/errno.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.949175 +0100 CET m=+0.549961043 +// Generated: 2023-05-31 11:09:59.128923 +0200 CEST m=+0.224674501 package netxlite diff --git a/pkg/netxlite/errno_darwin.go b/pkg/netxlite/errno_darwin.go index 90e61aa0..2351a214 100644 --- a/pkg/netxlite/errno_darwin.go +++ b/pkg/netxlite/errno_darwin.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.399627 +0100 CET m=+0.000401126 +// Generated: 2023-05-31 11:09:58.904502 +0200 CEST m=+0.000247709 package netxlite diff --git a/pkg/netxlite/errno_darwin_test.go b/pkg/netxlite/errno_darwin_test.go index 2a3829e4..e8c6a107 100644 --- a/pkg/netxlite/errno_darwin_test.go +++ b/pkg/netxlite/errno_darwin_test.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.657848 +0100 CET m=+0.258627918 +// Generated: 2023-05-31 11:09:58.962606 +0200 CEST m=+0.058353251 package netxlite diff --git a/pkg/netxlite/errno_freebsd.go b/pkg/netxlite/errno_freebsd.go index dddb5fbb..f7de074f 100644 --- a/pkg/netxlite/errno_freebsd.go +++ b/pkg/netxlite/errno_freebsd.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.693696 +0100 CET m=+0.294476460 +// Generated: 2023-05-31 11:09:58.986123 +0200 CEST m=+0.081871334 package netxlite diff --git a/pkg/netxlite/errno_freebsd_test.go b/pkg/netxlite/errno_freebsd_test.go index 135398b4..e7556125 100644 --- a/pkg/netxlite/errno_freebsd_test.go +++ b/pkg/netxlite/errno_freebsd_test.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.749087 +0100 CET m=+0.349869001 +// Generated: 2023-05-31 11:09:59.006625 +0200 CEST m=+0.102373584 package netxlite diff --git a/pkg/netxlite/errno_linux.go b/pkg/netxlite/errno_linux.go index aad72ce4..2f2da2ca 100644 --- a/pkg/netxlite/errno_linux.go +++ b/pkg/netxlite/errno_linux.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.836439 +0100 CET m=+0.437222210 +// Generated: 2023-05-31 11:09:59.059949 +0200 CEST m=+0.155698959 package netxlite diff --git a/pkg/netxlite/errno_linux_test.go b/pkg/netxlite/errno_linux_test.go index 11411897..344e6818 100644 --- a/pkg/netxlite/errno_linux_test.go +++ b/pkg/netxlite/errno_linux_test.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.879503 +0100 CET m=+0.480287376 +// Generated: 2023-05-31 11:09:59.078206 +0200 CEST m=+0.173955501 package netxlite diff --git a/pkg/netxlite/errno_openbsd.go b/pkg/netxlite/errno_openbsd.go index 06e43fba..4db2a875 100644 --- a/pkg/netxlite/errno_openbsd.go +++ b/pkg/netxlite/errno_openbsd.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.772233 +0100 CET m=+0.373015001 +// Generated: 2023-05-31 11:09:59.024286 +0200 CEST m=+0.120034584 package netxlite diff --git a/pkg/netxlite/errno_openbsd_test.go b/pkg/netxlite/errno_openbsd_test.go index 5ea5f62d..44516da2 100644 --- a/pkg/netxlite/errno_openbsd_test.go +++ b/pkg/netxlite/errno_openbsd_test.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.816566 +0100 CET m=+0.417348543 +// Generated: 2023-05-31 11:09:59.042781 +0200 CEST m=+0.138530209 package netxlite diff --git a/pkg/netxlite/errno_windows.go b/pkg/netxlite/errno_windows.go index 0ff94924..dbfb2d21 100644 --- a/pkg/netxlite/errno_windows.go +++ b/pkg/netxlite/errno_windows.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.900012 +0100 CET m=+0.500796793 +// Generated: 2023-05-31 11:09:59.094846 +0200 CEST m=+0.190596584 package netxlite diff --git a/pkg/netxlite/errno_windows_test.go b/pkg/netxlite/errno_windows_test.go index 3a923621..e1377a45 100644 --- a/pkg/netxlite/errno_windows_test.go +++ b/pkg/netxlite/errno_windows_test.go @@ -1,5 +1,5 @@ // Code generated by go generate; DO NOT EDIT. -// Generated: 2023-01-05 13:49:12.92982 +0100 CET m=+0.530604876 +// Generated: 2023-05-31 11:09:59.11131 +0200 CEST m=+0.207060334 package netxlite diff --git a/pkg/netxlite/filtering/tls_test.go b/pkg/netxlite/filtering/tls_test.go index c332dc3c..cc3a96c9 100644 --- a/pkg/netxlite/filtering/tls_test.go +++ b/pkg/netxlite/filtering/tls_test.go @@ -96,7 +96,7 @@ func TestTLSServer(t *testing.T) { // see this test failing with a different error string here. config := &tls.Config{ ServerName: "dns.google", - RootCAs: netxlite.NewDefaultCertPool(), + RootCAs: netxlite.NewMozillaCertPool(), } conn, err := tls.Dial("tcp", srv.Endpoint(), config) if err == nil || !strings.HasSuffix(err.Error(), "certificate signed by unknown authority") { diff --git a/pkg/netxlite/tls.go b/pkg/netxlite/tls.go index eb720811..34a554d3 100644 --- a/pkg/netxlite/tls.go +++ b/pkg/netxlite/tls.go @@ -96,14 +96,14 @@ func TLSCipherSuiteString(value uint16) string { return fmt.Sprintf("TLS_CIPHER_SUITE_UNKNOWN_%d", value) } -// NewDefaultCertPool returns the default x509 certificate pool +// NewMozillaCertPool returns the default x509 certificate pool // that we bundle from Mozilla. It's safe to modify the returned // value: every invocation returns a distinct *x509.CertPool // instance. You SHOULD NOT call this function every time your // experiment is processing input. If you are happy with the // default cert pool, just leave the RootCAs field nil. Otherwise, // you should cache the cert pool you use. -func NewDefaultCertPool() *x509.CertPool { +func NewMozillaCertPool() *x509.CertPool { pool := x509.NewCertPool() // Assumption: AppendCertsFromPEM cannot fail because we // have a test in certify_test.go that guarantees that diff --git a/pkg/netxlite/tls_test.go b/pkg/netxlite/tls_test.go index 5e7839e8..48ccf5aa 100644 --- a/pkg/netxlite/tls_test.go +++ b/pkg/netxlite/tls_test.go @@ -46,8 +46,8 @@ func TestCipherSuite(t *testing.T) { } } -func TestNewDefaultCertPoolWorks(t *testing.T) { - pool := NewDefaultCertPool() +func TestNewMozillaCertPoolWorks(t *testing.T) { + pool := NewMozillaCertPool() if pool == nil { t.Fatal("expected non-nil value here") } diff --git a/pkg/netxlite/tproxy.go b/pkg/netxlite/tproxy.go index 9b45f918..687e81da 100644 --- a/pkg/netxlite/tproxy.go +++ b/pkg/netxlite/tproxy.go @@ -50,7 +50,7 @@ type DefaultTProxy struct{} // // See https://github.com/ooni/probe/issues/2413 to understand why we // need a private static default pool. -var tproxyDefaultCertPool = NewDefaultCertPool() +var tproxyDefaultCertPool = NewMozillaCertPool() // DefaultCertPool implements model.UnderlyingNetwork func (tp *DefaultTProxy) DefaultCertPool() *x509.CertPool { diff --git a/pkg/stuninput/stuninput.go b/pkg/stuninput/stuninput.go index adbbb94d..a3ceaf14 100644 --- a/pkg/stuninput/stuninput.go +++ b/pkg/stuninput/stuninput.go @@ -9,23 +9,24 @@ import ( // TODO(bassosimone): we need to keep this list in sync with // the list internally used by TPO's snowflake. -var inputs = []string{ - "stun.voip.blackberry.com:3478", - "stun.antisip.com:3478", - "stun.bluesip.net:3478", - "stun.dus.net:3478", - "stun.epygi.com:3478", - "stun.sonetel.com:3478", - "stun.sonetel.net:3478", - "stun.uls.co.za:3478", - "stun.voipgate.com:3478", - "stun.voys.nl:3478", +// +// We should sync with https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/blob/main/projects/common/bridges_list.snowflake.txt +var inputs = map[string]bool{ + "stun.l.google.com:19302": true, + "stun.antisip.com:3478": true, + "stun.bluesip.net:3478": true, + "stun.dus.net:3478": true, + "stun.epygi.com:3478": true, + "stun.sonetel.com:3478": true, + "stun.uls.co.za:3478": true, + "stun.voipgate.com:3478": true, + "stun.voys.nl:3478": true, } // AsSnowflakeInput formats the input in the format // that is expected by snowflake. func AsSnowflakeInput() (output []string) { - for _, input := range inputs { + for input := range inputs { output = append(output, fmt.Sprintf("stun:%s", input)) } return @@ -34,7 +35,7 @@ func AsSnowflakeInput() (output []string) { // AsnStunReachabilityInput formats the input in // the format that is expected by stunreachability. func AsnStunReachabilityInput() (output []string) { - for _, input := range inputs { + for input := range inputs { serio := (&url.URL{Scheme: "stun", Host: input}) output = append(output, serio.String()) } diff --git a/pkg/stuninput/stuninput_test.go b/pkg/stuninput/stuninput_test.go index c222a1e9..39db6224 100644 --- a/pkg/stuninput/stuninput_test.go +++ b/pkg/stuninput/stuninput_test.go @@ -1,17 +1,19 @@ package stuninput -import "testing" +import ( + "strings" + "testing" +) func TestAsSnowflakeInput(t *testing.T) { outputs := AsSnowflakeInput() if len(outputs) != len(inputs) { t.Fatal("unexpected number of entries") } - for idx := 0; idx < len(inputs); idx++ { - output := outputs[idx] - input := "stun:" + inputs[idx] - if input != output { - t.Fatal("mismatch") + for _, output := range outputs { + output = strings.TrimPrefix(output, "stun:") + if !inputs[output] { + t.Fatal("not found in inputs", output) } } } @@ -21,11 +23,10 @@ func TestAsStunReachabilityInput(t *testing.T) { if len(outputs) != len(inputs) { t.Fatal("unexpected number of entries") } - for idx := 0; idx < len(inputs); idx++ { - output := outputs[idx] - input := "stun://" + inputs[idx] - if input != output { - t.Fatal("mismatch") + for _, output := range outputs { + output = strings.TrimPrefix(output, "stun://") + if !inputs[output] { + t.Fatal("not found in inputs", output) } } }