Unverified Commit 083f4095 authored by Kali Kaneko's avatar Kali Kaneko
Browse files

[feat] reuse certificate if found in config folder

parent 1d0bdcd6
Censorship Circumvention
================================================================================
This document contains some advice for using BitmaskVPN for censorship
circumvention.
Bootstrapping the connection
-----------------------------
There are two different steps where circumvention can be used: boostrapping the
connection (getting a certificate and the configuration files) and using an
obfuscated transport protocol. At the moment RiseupVPN offers obfs4 transport
"bridges" (you can try them with the `--obfs4` command line argument). For the
initial bootstrap, there are a couple of techniques that will be attempted.
Getting certificates off-band
-----------------------------
As a last resort, you can place a valid certificate in the config folder (name
it after the provider domain). You might have downloaded this cert with Tor,
using a socks proxy etc...
~/.config/leap/riseup.net.pem
When the certificate expires you will need to download a new one.
package vpn
import (
"crypto/x509"
"encoding/pem"
"io/ioutil"
"log"
"time"
)
func isValidCert(path string) bool {
data, err := ioutil.ReadFile(path)
if err != nil {
return false
}
// skip private key, but there should be one
_, rest := pem.Decode(data)
certBlock, rest := pem.Decode(rest)
if len(rest) != 0 {
log.Println("ERROR bad cert data")
return false
}
cert, err := x509.ParseCertificate(certBlock.Bytes)
loc, _ := time.LoadLocation("UTC")
expires := cert.NotAfter
tomorrow := time.Now().In(loc).Add(24 * time.Hour)
if !expires.After(tomorrow) {
return false
} else {
log.Println("DEBUG We have a valid cert:", path)
return true
}
}
......@@ -68,7 +68,7 @@ func Init() (*Bitmask, error) {
}
*/
err = ioutil.WriteFile(b.getCaCertPath(), config.CaCert, 0600)
err = ioutil.WriteFile(b.getTempCaCertPath(), config.CaCert, 0600)
go b.openvpnManagement()
return &b, err
......
......@@ -22,9 +22,11 @@ import (
"log"
"os"
"path"
"path/filepath"
"strconv"
"strings"
"0xacab.org/leap/bitmask-vpn/pkg/config"
"0xacab.org/leap/shapeshifter"
)
......@@ -167,7 +169,7 @@ func (b *Bitmask) startOpenVPN() error {
"--verb", "3",
"--management-client",
"--management", openvpnManagementAddr, openvpnManagementPort,
"--ca", b.getCaCertPath(),
"--ca", b.getTempCaCertPath(),
"--cert", b.certPemPath,
"--key", b.certPemPath,
"--persist-tun")
......@@ -175,17 +177,25 @@ func (b *Bitmask) startOpenVPN() error {
}
func (b *Bitmask) getCert() (certPath string, err error) {
certPath = b.getCertPemPath()
if _, err := os.Stat(certPath); os.IsNotExist(err) {
log.Println("Fetching certificate to", certPath)
cert, err := b.bonafide.GetPemCertificate()
if err != nil {
return "", err
persistentCertFile := filepath.Join(config.Path, strings.ToLower(config.Provider)+".pem")
if _, err := os.Stat(persistentCertFile); !os.IsNotExist(err) && isValidCert(persistentCertFile) {
// reuse cert. for the moment we're not writing one there, this is
// only to allow users to get certs off-band and place them there
// as a last-resort fallback for circumvention.
certPath = persistentCertFile
err = nil
} else {
// download one fresh
certPath = b.getTempCertPemPath()
if _, err := os.Stat(certPath); os.IsNotExist(err) {
log.Println("Fetching certificate to", certPath)
cert, err := b.bonafide.GetPemCertificate()
if err != nil {
return "", err
}
err = ioutil.WriteFile(certPath, cert, 0600)
}
err = ioutil.WriteFile(certPath, cert, 0600)
}
return certPath, err
}
......@@ -299,10 +309,10 @@ func (b *Bitmask) UseTransport(transport string) error {
return nil
}
func (b *Bitmask) getCertPemPath() string {
func (b *Bitmask) getTempCertPemPath() string {
return path.Join(b.tempdir, "openvpn.pem")
}
func (b *Bitmask) getCaCertPath() string {
func (b *Bitmask) getTempCaCertPath() string {
return path.Join(b.tempdir, "cacert.pem")
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment