Adguard on macOS 的 https filter 不检查证书吊销状态

今天收到了 Adguard 团队的回复如下：

Let me please answer all the questions one by one:

Adguard’s https filtering seems not checking the revoke status of certificates

Ok, this one is unexpected, thank you so much for reporting this to us! Seems to be a Mac-specific issue, we'll handle it asap.

A bug report: https://github.com/AdguardTeam/CoreLibs/issues/1170

1. I see that Adguard will support to show the original certification’s info very soon, which is wonderful. Is it possible to give more details on the protocol used by the connection to the server at the same time? For example, is it TLS 1.2 or 1.3, ECDSA or RSA.

This is a little bit orthogonal to showing a certificate, but we'll think about it as well: https://github.com/AdguardTeam/CoreLibs/issues/1171

2. To prevent downgrade attacks, an option to choose the minimal TLS version would be fantastic. This can even provide a better security than normal browser!

At the moment, AdGuard uses the very same settings as the browser. So if you specify the minimal TLS version in the browser settings (where it's possible), AG will use the same.

3. Is it possible to use the system’s keychain to save the private key of the root certificate? I apologies if this is a naive question, I’m not an experienced Mac developer :)

Technically, yes, it is possible. However, AdGuard generates a unique private key and stores it encrypted for a reason -- so that third-party apps could not access and read or modify it.

4. Can you shorten the valid duration of the root certificate and rotate it frequently? For example, 6 months limitation for the root cert and 3 months for every domain cert.

Here is how it works in the current version:

1. AdGuard calculates a hash of the server certificates and uses it as a key in its own encrypted certs storage
2. If there's no cert for this hash in the storage, it generates a new one and stores it there
3. It's "not_after" date is set to the same value as the original cert had
4. Once it expires, it is removed from the storage

With this approach, we can be sure that whenever the domain certificate is changed, AG will reevaluate it, and generate a new certificate. On the other hand, rotating domain certificates more often does make sense to me, we should consider doing it. Re-generating the root certificate is also possible, but tbh I don't see much sense in doing it.