Stronger SSL verification and HTTP redirection #50
Assignees
Comments
ghost
assigned 
|
Among other things, we have to consider whether or not we want to allow HTTP redirection. |
|
Just a side note: here is an Apple SSL bug from Feb 22 2014. |
|
@trishankatdatadog, is this issue still relevant? Judging from the mailing list discussion you linked above some of the problems are concerns of the server configuration and not TUF. Also, in the meantime, we switched to Regarding redirects, they are on per default in I suggest to close here... >>> import requests
>>> from pprint import pprint
>>> pprint(requests.get("https://www.howsmyssl.com/a/check").json())
{'able_to_detect_n_minus_one_splitting': False,
'beast_vuln': False,
'ephemeral_keys_supported': True,
'insecure_cipher_suites': {},
'rating': 'Probably Okay',
'session_ticket_supported': True,
'tls_compression_supported': False,
'tls_version': 'TLS 1.2',
'unknown_cipher_suite_supported': False,
'given_cipher_suites': ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_DH_DSS_WITH_AES_256_GCM_SHA384',
'TLS_DH_RSA_WITH_AES_256_GCM_SHA384',
'TLS_DH_DSS_WITH_AES_128_GCM_SHA256',
'TLS_DH_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
'TLS_DH_RSA_WITH_AES_256_CBC_SHA256',
'TLS_DH_DSS_WITH_AES_256_CBC_SHA256',
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_DH_RSA_WITH_AES_256_CBC_SHA',
'TLS_DH_DSS_WITH_AES_256_CBC_SHA',
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_DH_RSA_WITH_AES_128_CBC_SHA256',
'TLS_DH_DSS_WITH_AES_128_CBC_SHA256',
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_DH_RSA_WITH_AES_128_CBC_SHA',
'TLS_DH_DSS_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_EMPTY_RENEGOTIATION_INFO_SCSV']} |
|
Looks OK to me. @JustinCappos any reservations? |
|
Seems fine to me.
…On Tue, Sep 24, 2019 at 2:50 PM Trishank K Kuppusamy < ***@***.***> wrote:
Looks OK to me. @JustinCappos <https://github.com/JustinCappos> any
reservations?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#50>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGROD5SFNW4CG2PE3CNPBDQLJOQ7ANCNFSM4AECOH5A>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
tuf.downloadneeds stronger SSL verification (i.e. use stronger SSL ciphers and protocol versions).The text was updated successfully, but these errors were encountered: