Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Secure Defaults for HTTPS/TLS and for Password-Based Key Derivation #10602
I represent Symbolic Software, an applied cryptography consultancy that has been a happy Gitea user for quite some time
All changes made in this pull request have been fully tested.
Changes to TLS
Currently, Gitea allows TLS 1.0 and TLS 1.1 for HTTPS connections. These versions of TLS have long been deprecated due to security vulnerabilities, and are also no longer necessary for wide browser compatibility. The change I propose in this pull request sets TLS 1.2 as the minimum TLS version, with additional support for TLS 1.3.
On SSLLabs, we can see the difference. Before my changes:
After my changes:
Changes to Password-Based Key Derivation
Currently, Gitea uses
Therefore, given the above and especially given that
Thank you very much for your work on Gitea, we are huge Gitea fans and look forward to perhaps contributing more in the future.
Can we just keep the TLS defaults to golang's defaults (but overrideable)? I don't think we want to manually configure that stuff ideally and golang is certainly faster doing those changes than we are. So with all default, one should get TLS 1.2,1.3 in golang 1.14.
techknowlogick left a comment
Thanks for PR :)
Could you split this up into two PRs, one for hash algo change, and another for TLS changes? This allows for reviewing and merging of each specific component and faster merging of a PR without blocking on non-related reviews.
Guys, it's worth noting that Chrome, Firefox and Safari will all completely drop support for TLS 1.0 and 1.1 this month. In light of this news, is it still worth supporting these protocols in Gitea? I strongly but humbly recommend against it.