i2p.i2p icon indicating copy to clipboard operation
i2p.i2p copied to clipboard

Published 20 hours ago verified publisher icon i2p

Inadequate Encryption Strength CVE multiables

Open s-b-repo opened this issue 8 months ago • 2 comments

if (_log.shouldLog(Log.INFO)) _log.info("Loaded total of " + totalAdds + " new trusted certificates");

    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:430

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎core/java/src/net/i2p/util/SSLEepGet.java]

    return false;
    }
    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:141

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎router/java/src/net/i2p/router/client/SSLClientListenerRunner.java]

        // don't continue, since we didn't load the system keystore, we have nothing.
        throw new GeneralSecurityException(msg);
    }

529: SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎core/java/src/net/i2p/util/I2PSSLSocketFactory.java]

   }

    InputStream fis = null;
    try {

#198 SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎apps/i2ptunnel/java/src/net/i2p/i2ptunnel/SSLClientUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

163:

[‎apps/sam/java/src/net/i2p/sam/client/SSLUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

162: [‎apps/sam/java/src/net/i2p/sam/SSLUtil.java

learn how to fix https://learn.snyk.io/lesson/insecure-hash/?authenticate=automatic

s-b-repo avatar Oct 17 '23 21:10 s-b-repo

This is likely not something we can fix in a way which will satisfy the scanner you're using, because of the TLS ladder being pulled up behind .onion services. We have to allow self-signed certificates and we have to silently accept self-signed SSL certificates when they come from I2P hostnames in eepget/ssleepget. However if using a more modern library can satisfy our requirement then maybe it's worth it. Leaving it open for further consideration.

eyedeekay avatar Oct 18 '23 00:10 eyedeekay

This is likely not something we can fix in a way which will satisfy the scanner you're using, because of the TLS ladder being pulled up behind .onion services. We have to allow self-signed certificates and we have to silently accept self-signed SSL certificates when they come from I2P hostnames in eepget/ssleepget. However if using a more modern library can satisfy our requirement then maybe it's worth it. Leaving it open for further consideration.

why not make a bunch of real certificate hosts bascily people everyone verifies each others certs

s-b-repo avatar Oct 18 '23 02:10 s-b-repo