the fast, reliable localhost tunneling solution


Pagekite.py 0.5.9, CA trust issue

By Bjarni RĂșnar 2016-11-22, 10:58

Version 0.5.9 of pagekite.py has been released and is available for download.

This is a critical update, please upgrade as soon as possible!

Highlights since version 0.5.8:

The latter two features will be discussed in future blog posts, please read on for information on the critical Certificate Authority trust issue.

The CA trust issue

This release of pagekite.py fixes a critical bug in how pagekite.py verifies the authenticity of the relays and other servers, including dynamic DNS. Note that although this post focuses on the impact on PageKite.net users, the same flaw may also have caused problems for people using TLS certificates with their own relay infrastructure.

Pagekite.py uses TLS security to protect the integrity and confidentiality of its connections to the PageKite.net servers, and until recently the PageKite service TLS certificate were signed by StartCom. Unfortunately, due to a breach of trust, StartCom is no longer a trusted certificate authority and we are in the process of changing our certificates as a result.

Normally changing certificates and Certificate Authorities would be a routine upgrade, but due to a bug in the pagekite.py default configuration, certificates signed by any authority other than StartCom will fail to validate. This update corrects that flaw.

The StartCom-signed certificate we use to secure the PageKite tunnels will last for two more years, but the certificate used to validate our dynamic DNS service expires later this week - on the 26th of November.

Impact Timeline

November 26, 2016: old versions of pagekite.py will no longer be able to update DNS records.

Most of the time, this will cause no problems. However, in the event of network outages or server downtime, PageKite's ability to adapt and migrate to a different relay will be impaired - even if pagekite.py establishes a new tunnel connection

Late 2018: old versions of pagekite.py will stop working completely.

At this point, our last certificate from StartCom will have expired and instances of pagekite.py that have neither been upgraded or reconfigured will go off-line. The exact date for this event is currently unknown; the certificate itself expires on December 27th, 2018, but we may need to change certificates sooner if other issues come up.

Solutions

The preferred solution is to upgrade to pagekite.py 0.5.9 or later.

If an upgrade is infeasible, a configuration change can also be used to work around the issue; by adding the following line to your configuration (after the defaults line, if it is present):

ca_certs=/etc/ssl/certs/ca-certificates.crt

Notes:

Comments

None, comments are closed.

The Blog

Welcome to the PageKite blog!

Here we write about anything and everything to do with running the service, building a company, open-source, privacy online... you name it.

But mostly it's about PageKite.

Other venues