Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inadequate Encryption Strength CVE multiables #61

Open
s-b-repo opened this issue Oct 17, 2023 · 2 comments
Open

Inadequate Encryption Strength CVE multiables #61

s-b-repo opened this issue Oct 17, 2023 · 2 comments

Comments

@s-b-repo
Copy link

if (_log.shouldLog(Log.INFO))
_log.info("Loaded total of " + totalAdds + " new trusted certificates");

    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:430

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎core/java/src/net/i2p/util/SSLEepGet.java]

    return false;
    }
    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:141

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎router/java/src/net/i2p/router/client/SSLClientListenerRunner.java]

        // don't continue, since we didn't load the system keystore, we have nothing.
        throw new GeneralSecurityException(msg);
    }

529: SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎core/java/src/net/i2p/util/I2PSSLSocketFactory.java]

   }

    InputStream fis = null;
    try {

#198 SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance.
[‎apps/i2ptunnel/java/src/net/i2p/i2ptunnel/SSLClientUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

163:

[‎apps/sam/java/src/net/i2p/sam/client/SSLUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

162:
[‎apps/sam/java/src/net/i2p/sam/SSLUtil.java

learn how to fix
https://learn.snyk.io/lesson/insecure-hash/?authenticate=automatic
@eyedeekay
Copy link
Contributor

This is likely not something we can fix in a way which will satisfy the scanner you're using, because of the TLS ladder being pulled up behind .onion services. We have to allow self-signed certificates and we have to silently accept self-signed SSL certificates when they come from I2P hostnames in eepget/ssleepget. However if using a more modern library can satisfy our requirement then maybe it's worth it. Leaving it open for further consideration.

@s-b-repo
Copy link
Author

This is likely not something we can fix in a way which will satisfy the scanner you're using, because of the TLS ladder being pulled up behind .onion services. We have to allow self-signed certificates and we have to silently accept self-signed SSL certificates when they come from I2P hostnames in eepget/ssleepget. However if using a more modern library can satisfy our requirement then maybe it's worth it. Leaving it open for further consideration.

why not make a bunch of real certificate hosts bascily people everyone verifies each others certs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eyedeekay @s-b-repo