signal: fix invalid certificate error in TLS handshake #2344

hellais · 2022-10-21T09:07:30Z

It appears that since the 19th of October 2022, signal has changed the root CA they use to sign certificates for certain endpoints we test.

In particular the VOIP endpoint now sees this cert:

% openssl s_client -connect sfu.voip.signal.org:443
CONNECTED(00000005)
depth=1 C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger
verify return:1
depth=0
verify return:1
---
Certificate chain
 0 s:
   i:C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 23 16:52:11 2022 GMT; NotAfter: Sep 23 22:40:56 2023 GMT
 1 s:C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger
   i:C = US, ST = California, L = Mountain View, O = "Signal Messenger, LLC", CN = Signal Messenger
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 26 00:45:51 2022 GMT; NotAfter: Jan 24 00:45:50 2032 GMT
---

I believe this was added in February 2022 to the cert store of the android app through this commit: signalapp/Signal-Android@af3a39d.

While our test has a different CA: https://github.com/ooni/probe-cli/blob/e983a5cffb2f346c04f5187cde1f0b30b8a15781/internal/engine/experiment/signal/signal.go#L20

It's worth noting that the other endpoints are still on the old CA.

I guess the "easy" thing would be do just add this new root CA and consider it valid for both.

Alternatively we could just disable TLS validation entirely and delegate the job of figuring out if SSL is valid to the data processing pipeline, but this would give less accurate results in the app.

Yet another option, which is though much harder to implement, is to rely on a test helper which would have knowledge of what is the valid root CA and will perform the validation of the cert for the client.

I think we can start off with the easy fix of just adding this CA and then consider to do the other as future work.

The text was updated successfully, but these errors were encountered:

hellais · 2022-10-21T09:26:39Z

As a temporary workaround we might also want to flag all measurements from 2022-10-19 as failed until we deploy a fix to the probe

All measurements collected since 2022-10-19 with previous versions of OONI Probe will wrongly report sfu.voip.signal.org as blocked as it switched to using a different root CA This fixes: ooni/probe#2344

See ooni/probe#2344 and ooni/probe-cli#977

This commit backports fa281f2 from the master branch to release/3.16. All measurements collected since 2022-10-19 with previous versions of OONI Probe will wrongly report sfu.voip.signal.org as blocked as it switched to using a different root CA This fixes: ooni/probe#2344

bassosimone · 2022-10-31T15:12:44Z

Apparently, we now witness a different error:

[      1.281020] <info> [ 14.3%] signal: measure https://storage.signal.org/: ssl_unknown_authority
[      1.347009] <info> [ 28.6%] signal: measure https://cdn.signal.org/: ssl_unknown_authority
[      1.391473] <info> [ 42.9%] signal: measure https://cdn2.signal.org/: ssl_unknown_authority
[      1.401816] <info> [ 57.1%] signal: measure https://api.directory.signal.org/: ok
[      1.435467] <info> [ 71.4%] signal: measure dnslookup://uptime.signal.org: ok
[      1.485628] <info> [ 85.7%] signal: measure https://textsecure-service.whispersystems.org/: ssl_unknown_authority
[      1.536727] <info> [100.0%] signal: measure https://sfu.voip.signal.org/: ok
[      1.538972] <info> submitting measurement to OONI collector; please be patient...
[      1.571780] <info> New reportID: 20221031T145215Z_signal_IT_30722_n1_hmziFZoV8RDw1PBC

when using ooni/probe-cli@fa281f2

It won't probably be enough to fix the bug described at ooni/probe#2344, but it concludes the list of tasks related to v3.16.4. We'll probably need v3.16.5 for a more comprehensive fix.

See ooni/probe#2344

This cherry picks 606bc93. See ooni/probe#2344

This version contains a more comprehensive fix for the issue at ooni/probe#2344.

Reference issue: ooni/probe#2344

See ooni/probe#2344

bassosimone · 2022-11-01T15:44:19Z

It seems we implemented a more comprehensive fix now

* chore: use 3.16.5 This version contains a more comprehensive fix for the issue at ooni/probe#2344.

hellais added bug Something isn't working priority/high ooni/probe-engine labels Oct 21, 2022

hellais self-assigned this Oct 21, 2022

FedericoCeratto mentioned this issue Oct 21, 2022

Temporarily flag signal msmts as failed ooni/pipeline#400

Merged

This was referenced Oct 25, 2022

Add information about the signal bug to the test spec ooni/spec#265

Merged

Add new root CA to the signal test ooni/probe-cli#977

Merged

bassosimone closed this as completed in ooni/probe-cli#977 Oct 26, 2022

bassosimone pushed a commit to ooni/spec that referenced this issue Oct 26, 2022

Add information about the signal bug to the test spec (#265)

81056e4

See ooni/probe#2344 and ooni/probe-cli#977

bassosimone reopened this Oct 31, 2022

bassosimone changed the title ~~signal-test: fix invalid certificate error in TLS handshake~~ signal: fix invalid certificate error in TLS handshake Oct 31, 2022

This was referenced Oct 31, 2022

feat: use v3.16.5 ooni/probe-ios#502

Merged

feat: use v3.16.5 ooni/probe-android#545

Merged

Fix the signal root CA ooni/probe-cli#978

Merged

bassosimone pushed a commit to ooni/probe-cli that referenced this issue Oct 31, 2022

Fix the signal root CA (#978)

606bc93

See ooni/probe#2344

bassosimone pushed a commit to ooni/probe-cli that referenced this issue Oct 31, 2022

Fix the signal root CA (#978)

5f2aea3

This cherry picks 606bc93. See ooni/probe#2344

bassosimone added a commit to ooni/probe-ios that referenced this issue Nov 1, 2022

chore: use 3.16.5

248d685

This version contains a more comprehensive fix for the issue at ooni/probe#2344.

bassosimone added a commit to ooni/probe-android that referenced this issue Nov 1, 2022

chore: use 3.16.5

8c41988

This version contains a more comprehensive fix for the issue at ooni/probe#2344.

bassosimone added a commit to ooni/probe-desktop that referenced this issue Nov 1, 2022

fix: use 3.16.5 with a better signal fix

ec97a65

Reference issue: ooni/probe#2344

bassosimone mentioned this issue Nov 1, 2022

fix: use 3.16.5 with a better signal fix ooni/probe-desktop#311

Closed

bassosimone pushed a commit to ooni/spec that referenced this issue Nov 1, 2022

Signal fix (#266)

9248b94

See ooni/probe#2344

bassosimone closed this as completed Nov 1, 2022

aanorbel pushed a commit to ooni/probe-ios that referenced this issue Nov 2, 2022

feat: use v3.16.5 (#502)

e76a23b

* chore: use 3.16.5 This version contains a more comprehensive fix for the issue at ooni/probe#2344.

aanorbel pushed a commit to ooni/probe-android that referenced this issue Nov 2, 2022

feat: use v3.16.5 (#545)

bd15c5c

* chore: use 3.16.5 This version contains a more comprehensive fix for the issue at ooni/probe#2344.

hellais mentioned this issue Apr 21, 2023

Signal test fail with SSL Error #2459

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

signal: fix invalid certificate error in TLS handshake #2344

signal: fix invalid certificate error in TLS handshake #2344

hellais commented Oct 21, 2022

hellais commented Oct 21, 2022

bassosimone commented Oct 31, 2022

bassosimone commented Nov 1, 2022

signal: fix invalid certificate error in TLS handshake #2344

signal: fix invalid certificate error in TLS handshake #2344

Comments

hellais commented Oct 21, 2022

hellais commented Oct 21, 2022

bassosimone commented Oct 31, 2022

bassosimone commented Nov 1, 2022