[HTTPS-Everywhere] HTTPS Everywhere Ruleset Checker 0.2.0

[Ondrej Mikle]

Hi,

I've finally found a way to fix/workaround known bugs in the checker. Short
changelog (README.md has more details) :

- By default fetching is done in subprocess by PyCURL. Main code is threaded,
but every thread spawns a quick subprocess for fetching (process-level isolation
acts as a magic workaround for all kinds of bugs).
- New option "static_ca_path" allows to turn off using CA certs based on
"platform" attribute in ruleset and use a static directory with CA/intermediate
certs (useful for transvalid set).
- Added tarball into "platform_certs" with CA/intermediate certificates that
validate from FF certs (for validating certchains of servers that send
incomplete chains - the ones with "transvalid" certs). It might yet require some
cleanup to remove expired certs, etc. The set was generated from following set
of intermediate/CA certs:
https://www.constructibleuniverse.net/hte_checker_certs/true_ca_certs.tar.gz
- Workaround for the CURL+NSS and HTTP 400 bug caused by SNI and SSL session IDs
(using subprocesses work well).
- Workaround for threading race conditions with openssl/gnutls (again
subprocesses to the rescue).

Since NSS is the library that has the closest behavior to Firefox when
determining validity of a certchain, NSS is the recommended "backend" SSL
library for libcurl/pycurl.

Github link: https://github.com/hiviah/https-everywhere-checker

Ondrej

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20121104/5e32ba1d/attachment.sig>