TLS Positive and Negative Overrides

Tor Browser for GNU/Linux can be used with Namecoin for TLS positive and negative overrides; this allows certificates for .bit domains that match the blockchain to be used without errors, and prevents malicious or compromised public CA’s from issuing certificates for .bit domains. Instructions:

  1. Install ncdns.

  2. Build certdehydrate-dane-rest-api and ncp11 from source, like this:

    git clone https://github.com/namecoin/ncdns-repro.git
cd ncdns-repro
make submodule-update
./rbm/rbm build certdehydrate-dane-rest-api --target release --target ncdns-linux-x86_64
./rbm/rbm build ncp11 --target release --target ncdns-linux-x86_64
  3. The certdehydrate-dane-rest-api binary will be a .tar.gz file in ./out/certdehydrate-dane-rest-api/.
  4. The ncp11 binary will be a .tar.gz file in ./out/ncp11/.
  5. Extract certdehydrate-dane-rest-api from the certdehydrate-dane-rest-api .tar.gz file.
  6. Extract libncp11.so from the ncp11 .tar.gz file.

  7. Create a text file called certdehydrate-dane-rest-api.conf in the same directory where certdehydrate-dane-rest-api is, and fill it with the following contents (if ncdns is listening on a different IP or port, change the following accordingly):

    [certdehydrate-dane-rest-api]
nameserver="127.0.0.1"
port="5391"
  8. Run certdehydrate-dane-rest-api.
  9. If you want to test certdehydrate-dane-rest-api, try visiting http://127.0.0.1:8080/lookup?domain=ca-test.bit in a web browser. You should see a certificate. If you instead get an error or an empty page, something is wrong.
  10. Make sure Tor Browser is installed.
  11. Make sure Tor Browser is already configured to use Namecoin for Tor name resolution.
  12. Make sure Tor Browser is shut down.
  13. In Tor Browser’s Browser folder, rename libnssckbi.so to libnssckbi-namecoin-target.so.
  14. Copy libncp11.so to Tor Browser’s Browser folder.
  15. In Tor Browser’s Browser folder, rename libncp11.so to libnssckbi.so.

You can now visit in Tor Browser a .bit website that supports TLS, e.g. the ncp11 test page. The website should load in Tor Browser without errors. Note that only CA trust anchors are accepted; end-entity trust anchors are not accepted. This means that some older .bit domains will have their certificates rejected in Tor Browser. We are working on contacting the affected .bit domain owners to ask them to upgrade their setup.