Remove expired LE certificate

author: David Lönnhager <david.l@mullvad.net> 2021-10-05 13:00:43 +0200
committer: David Lönnhager <david.l@mullvad.net> 2021-10-07 18:05:30 +0200
commit: faa05edc1c8a877a07c73de37f133442fb471124 (patch)
tree: fca550f1158a1101f82e20cd5bd181a6865b748f
parent: 15990ef3c9d26640dc99ecdeb77bf44352df8b50 (diff)
download: mullvadvpn-faa05edc1c8a877a07c73de37f133442fb471124.tar.xz
mullvadvpn-faa05edc1c8a877a07c73de37f133442fb471124.zip
8 files changed, 11 insertions, 48 deletions
diff --git a/ios/Assets/new_le_root_cert.cer b/ios/Assets/le_root_cert.cer
index 9d2132e7f1..9d2132e7f1 100644
--- a/ios/Assets/new_le_root_cert.cer
+++ b/ios/Assets/le_root_cert.cer
diff --git a/ios/Assets/old_le_root_cert.cer b/ios/Assets/old_le_root_cert.cer
deleted file mode 100644
index 95500f6bd1..0000000000
--- a/ios/Assets/old_le_root_cert.cer
+++ /dev/null
diff --git a/ios/BuildInstructions.md b/ios/BuildInstructions.md
index 340a116f76..4c112fcad7 100644
--- a/ios/BuildInstructions.md
+++ b/ios/BuildInstructions.md
@@ -210,6 +210,5 @@ Reference: https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sier
 The iOS app utilizes SSL pinning. Root certificates can be updated by using the source certificates shipped along with `mullvad-rpc`:
 
 ```
-openssl x509 -in ../mullvad-rpc/new_le_root_cert.pem -outform der -out Assets/new_le_root_cert.cer
-openssl x509 -in ../mullvad-rpc/old_le_root_cert.pem -outform der -out Assets/old_le_root_cert.cer
+openssl x509 -in ../mullvad-rpc/le_root_cert.pem -outform der -out Assets/le_root_cert.cer
 ```
diff --git a/ios/MullvadVPN.xcodeproj/project.pbxproj b/ios/MullvadVPN.xcodeproj/project.pbxproj
index 5c6d057dd6..4417fd14e9 100644
--- a/ios/MullvadVPN.xcodeproj/project.pbxproj
+++ b/ios/MullvadVPN.xcodeproj/project.pbxproj
@@ -94,10 +94,8 @@
 		5846227526E22A350035F7C2 /* AnyAppStorePaymentObserver.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5846227426E22A350035F7C2 /* AnyAppStorePaymentObserver.swift */; };
 		5846227726E22A7C0035F7C2 /* AppStorePaymentManagerDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 5846227626E22A7C0035F7C2 /* AppStorePaymentManagerDelegate.swift */; };
 		5846227A26E24F1F0035F7C2 /* ExclusivityController.swift in Sources */ = {isa = PBXBuildFile; fileRef = 580EE20524B3222200F9D8A1 /* ExclusivityController.swift */; };
-		584789B8264D4A2A000E45FB /* old_le_root_cert.cer in Resources */ = {isa = PBXBuildFile; fileRef = 584789B4264D4A2A000E45FB /* old_le_root_cert.cer */; };
-		584789B9264D4A2A000E45FB /* old_le_root_cert.cer in Resources */ = {isa = PBXBuildFile; fileRef = 584789B4264D4A2A000E45FB /* old_le_root_cert.cer */; };
-		584789BE264D4A2A000E45FB /* new_le_root_cert.cer in Resources */ = {isa = PBXBuildFile; fileRef = 584789B7264D4A2A000E45FB /* new_le_root_cert.cer */; };
-		584789BF264D4A2A000E45FB /* new_le_root_cert.cer in Resources */ = {isa = PBXBuildFile; fileRef = 584789B7264D4A2A000E45FB /* new_le_root_cert.cer */; };
+		584789BE264D4A2A000E45FB /* le_root_cert.cer in Resources */ = {isa = PBXBuildFile; fileRef = 584789B7264D4A2A000E45FB /* le_root_cert.cer */; };
+		584789BE264D4A2A000E45FB /* le_root_cert.cer in Resources */ = {isa = PBXBuildFile; fileRef = 584789B7264D4A2A000E45FB /* le_root_cert.cer */; };
 		584789E026529D72000E45FB /* SSLPinningURLSessionDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = 584789DF26529D72000E45FB /* SSLPinningURLSessionDelegate.swift */; };
 		584789EC2652A1A2000E45FB /* Logging in Frameworks */ = {isa = PBXBuildFile; productRef = 584789EB2652A1A2000E45FB /* Logging */; };
 		584E96BC240FD4DA00D3334F /* Location.swift in Sources */ = {isa = PBXBuildFile; fileRef = 58A1AA8623F43901009F7EA6 /* Location.swift */; };
@@ -393,8 +391,7 @@
 		5846227226E22A160035F7C2 /* AppStorePaymentObserver.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppStorePaymentObserver.swift; sourceTree = "<group>"; };
 		5846227426E22A350035F7C2 /* AnyAppStorePaymentObserver.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AnyAppStorePaymentObserver.swift; sourceTree = "<group>"; };
 		5846227626E22A7C0035F7C2 /* AppStorePaymentManagerDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppStorePaymentManagerDelegate.swift; sourceTree = "<group>"; };
-		584789B4264D4A2A000E45FB /* old_le_root_cert.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = old_le_root_cert.cer; sourceTree = "<group>"; };
-		584789B7264D4A2A000E45FB /* new_le_root_cert.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = new_le_root_cert.cer; sourceTree = "<group>"; };
+		584789B7264D4A2A000E45FB /* le_root_cert.cer */ = {isa = PBXFileReference; lastKnownFileType = file; path = le_root_cert.cer; sourceTree = "<group>"; };
 		584789DF26529D72000E45FB /* SSLPinningURLSessionDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SSLPinningURLSessionDelegate.swift; sourceTree = "<group>"; };
 		584B26F3237434D00073B10E /* RelaySelectorTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = RelaySelectorTests.swift; sourceTree = "<group>"; };
 		5850366725A47AC700A43E93 /* IPAddressRange+Codable.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = "IPAddressRange+Codable.swift"; sourceTree = "<group>"; };
@@ -940,8 +937,7 @@
 		58F3C0A824A50C0E003E76BE /* Assets */ = {
 			isa = PBXGroup;
 			children = (
-				584789B7264D4A2A000E45FB /* new_le_root_cert.cer */,
-				584789B4264D4A2A000E45FB /* old_le_root_cert.cer */,
+				584789B7264D4A2A000E45FB /* le_root_cert.cer */,
 				58F3C0A524A50155003E76BE /* relays.json */,
 			);
 			path = Assets;
@@ -1160,12 +1156,11 @@
 				58F558E32695D1D800F630D0 /* Preferences.strings in Resources */,
 				582CFEE726945FC30072883A /* AppStoreSubscriptions.strings in Resources */,
 				58F558EF2695D50D00F630D0 /* ProblemReportReview.strings in Resources */,
-				584789B8264D4A2A000E45FB /* old_le_root_cert.cer in Resources */,
 				58F558E62695D1F200F630D0 /* ProblemReport.strings in Resources */,
 				58F5590D2697002100F630D0 /* AccountInput.strings in Resources */,
 				58F559102697002100F630D0 /* HeaderBar.strings in Resources */,
 				58F558F92696EB1C00F630D0 /* StoreKitErrors.strings in Resources */,
-				584789BE264D4A2A000E45FB /* new_le_root_cert.cer in Resources */,
+				584789BE264D4A2A000E45FB /* le_root_cert.cer in Resources */,
 				58F61F4F2692F21C00DCFC2B /* WireguardKeys.strings in Resources */,
 				58F5590B2697002100F630D0 /* CustomDateComponentsFormatting.strings in Resources */,
 				58F5590E2697002100F630D0 /* Main.strings in Resources */,
@@ -1180,9 +1175,8 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				584789B9264D4A2A000E45FB /* old_le_root_cert.cer in Resources */,
 				58F3C0A724A50C02003E76BE /* relays.json in Resources */,
-				584789BF264D4A2A000E45FB /* new_le_root_cert.cer in Resources */,
+				584789BF264D4A2A000E45FB /* le_root_cert.cer in Resources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
diff --git a/ios/MullvadVPN/REST/RESTClient.swift b/ios/MullvadVPN/REST/RESTClient.swift
index 2c76241ae9..2881ccf287 100644
--- a/ios/MullvadVPN/REST/RESTClient.swift
+++ b/ios/MullvadVPN/REST/RESTClient.swift
@@ -27,10 +27,9 @@ extension REST {
 
         /// Returns array of trusted root certificates
         private static var trustedRootCertificates: [SecCertificate] {
-            let oldRootCertificate = Bundle.main.path(forResource: "old_le_root_cert", ofType: "cer")!
-            let newRootCertificate = Bundle.main.path(forResource: "new_le_root_cert", ofType: "cer")!
+            let rootCertificate = Bundle.main.path(forResource: "le_root_cert", ofType: "cer")!
 
-            return [oldRootCertificate, newRootCertificate].map { (path) -> SecCertificate in
+            return [rootCertificate].map { (path) -> SecCertificate in
                 let data = FileManager.default.contents(atPath: path)!
                 return SecCertificateCreateWithData(nil, data as CFData)!
             }
diff --git a/mullvad-rpc/new_le_root_cert.pem b/mullvad-rpc/le_root_cert.pem
index b85c8037f6..b85c8037f6 100644
--- a/mullvad-rpc/new_le_root_cert.pem
+++ b/mullvad-rpc/le_root_cert.pem
diff --git a/mullvad-rpc/old_le_root_cert.pem b/mullvad-rpc/old_le_root_cert.pem
deleted file mode 100644
index b2e43c9381..0000000000
--- a/mullvad-rpc/old_le_root_cert.pem
+++ /dev/null
@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
diff --git a/mullvad-rpc/src/https_client_with_sni.rs b/mullvad-rpc/src/https_client_with_sni.rs
index fc1cac4f55..745a2c05ff 100644
--- a/mullvad-rpc/src/https_client_with_sni.rs
+++ b/mullvad-rpc/src/https_client_with_sni.rs
@@ -30,10 +30,8 @@ use tokio::{net::TcpStream as TokioTcpStream, runtime::Handle, time::timeout};
 use tokio_rustls::rustls::{self, ProtocolVersion};
 use webpki::DNSNameRef;
 
-// Old LetsEncrypt root certificate
-const OLD_ROOT_CERT: &[u8] = include_bytes!("../old_le_root_cert.pem");
 // New LetsEncrypt root certificate
-const NEW_ROOT_CERT: &[u8] = include_bytes!("../new_le_root_cert.pem");
+const LE_ROOT_CERT: &[u8] = include_bytes!("../le_root_cert.pem");
 
 const CONNECT_TIMEOUT: Duration = Duration::from_secs(5);
 
@@ -84,14 +82,7 @@ impl HttpsConnectorWithSni {
         let mut cert_store = rustls::RootCertStore::empty();
 
         let (num_certs_added, num_failures) = cert_store
-            .add_pem_file(&mut BufReader::new(OLD_ROOT_CERT))
-            .expect("Failed to add old root cert");
-        if num_failures > 0 || num_certs_added != 1 {
-            panic!("Failed to add old root cert");
-        }
-
-        let (num_certs_added, num_failures) = cert_store
-            .add_pem_file(&mut BufReader::new(NEW_ROOT_CERT))
+            .add_pem_file(&mut BufReader::new(LE_ROOT_CERT))
             .expect("Failed to add new root cert");
         if num_failures > 0 || num_certs_added != 1 {
             panic!("Failed to add new root cert");
author	David Lönnhager <david.l@mullvad.net>	2021-10-05 13:00:43 +0200
committer	David Lönnhager <david.l@mullvad.net>	2021-10-07 18:05:30 +0200
commit	faa05edc1c8a877a07c73de37f133442fb471124 (patch)
tree	fca550f1158a1101f82e20cd5bd181a6865b748f
parent	15990ef3c9d26640dc99ecdeb77bf44352df8b50 (diff)
download	mullvadvpn-faa05edc1c8a877a07c73de37f133442fb471124.tar.xz mullvadvpn-faa05edc1c8a877a07c73de37f133442fb471124.zip