New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stronger SSL verification and HTTP redirection #50
Comments
Among other things, we have to consider whether or not we want to allow HTTP redirection. |
Just a side note: here is an Apple SSL bug from Feb 22 2014. |
@trishankatdatadog, is this issue still relevant? Judging from the mailing list discussion you linked above some of the problems are concerns of the server configuration and not TUF. Also, in the meantime, we switched to Regarding redirects, they are on per default in I suggest to close here... >>> import requests
>>> from pprint import pprint
>>> pprint(requests.get("https://www.howsmyssl.com/a/check").json())
{'able_to_detect_n_minus_one_splitting': False,
'beast_vuln': False,
'ephemeral_keys_supported': True,
'insecure_cipher_suites': {},
'rating': 'Probably Okay',
'session_ticket_supported': True,
'tls_compression_supported': False,
'tls_version': 'TLS 1.2',
'unknown_cipher_suite_supported': False,
'given_cipher_suites': ['TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_DH_DSS_WITH_AES_256_GCM_SHA384',
'TLS_DH_RSA_WITH_AES_256_GCM_SHA384',
'TLS_DH_DSS_WITH_AES_128_GCM_SHA256',
'TLS_DH_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384',
'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
'TLS_DH_RSA_WITH_AES_256_CBC_SHA256',
'TLS_DH_DSS_WITH_AES_256_CBC_SHA256',
'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_DH_RSA_WITH_AES_256_CBC_SHA',
'TLS_DH_DSS_WITH_AES_256_CBC_SHA',
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_DH_RSA_WITH_AES_128_CBC_SHA256',
'TLS_DH_DSS_WITH_AES_128_CBC_SHA256',
'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_DH_RSA_WITH_AES_128_CBC_SHA',
'TLS_DH_DSS_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_EMPTY_RENEGOTIATION_INFO_SCSV']} |
Looks OK to me. @JustinCappos any reservations? |
Seems fine to me.
…On Tue, Sep 24, 2019 at 2:50 PM Trishank K Kuppusamy < ***@***.***> wrote:
Looks OK to me. @JustinCappos <https://github.com/JustinCappos> any
reservations?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#50>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAGROD5SFNW4CG2PE3CNPBDQLJOQ7ANCNFSM4AECOH5A>
.
|
tuf.download
needs stronger SSL verification (i.e. use stronger SSL ciphers and protocol versions).The text was updated successfully, but these errors were encountered: