rustup icon indicating copy to clipboard operation
rustup copied to clipboard

Published 20 hours ago verified publisher icon rust-lang

Drop TLS1.1 from sh/rustup.rs server

Open BryanQuigley opened this issue 3 years ago • 7 comments

https://www.hardenize.com/report/rustup.rs/1606542595#www_tls https://www.ssllabs.com/ssltest/analyze.html?d=sh.rustup.rs

Disable TLS1.1 if you can. Although this may create issues for CentOS6/RHEL6 currently in extended support mode.

Notes No major browser should be using it now and the script should generally be enforcing tls1.2.

BryanQuigley avatar Nov 28 '20 17:11 BryanQuigley

I'm not sure if we have any control over the server's SSL support since it's cloudfront/AWS I think. @pietroalbini Do you know about this?

Even if we do support it, I know people use CentOS6 as a CI base platform so we shouldn't turn it off without some kind of backup plan for those users.

kinnison avatar Nov 28 '20 18:11 kinnison

It's possible to disable it on Cloudfront, not sure if we want to break CentOS/RHEL though. cc @cuviper

pietroalbini avatar Nov 28 '20 21:11 pietroalbini

I was wrong about CentOS 6 - it appears a simple upgrade should let it get TLS1.2 - and if they haven't at this point that's very bad for them: https://status.yubico.com/2019/01/08/centos-6-and-tls1-2/

I believe just setting TLSv1.2_2018 would do it - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy

BryanQuigley avatar Nov 29 '20 03:11 BryanQuigley

Oh interesting, that's useful to know. I assume similar exists for RHEL given their close connection to each other then.

kinnison avatar Nov 29 '20 10:11 kinnison

Yes, the change would have happened in RHEL6 first, then rebuilt for CentOS6. AFAIK this should be fine, but if there's any way to provide it on a test server first, I can try it out.

The other Linux baseline is SLE11-SP4, and it sounds like they have a solution, but it's complicated for openssl: https://www.suse.com/c/introducing-the-suse-linux-enterprise-11-security-module/

cuviper avatar Nov 29 '20 16:11 cuviper

Disclaimer: I stumbled on this issue by accident, and I am not an expert in cryptography.

In case it's helpful, I wanted to point out EOL for CentOS 6 and RHEL 6 ended in November 2020. Maybe it's ok to disable TLS 1.1 now?

cc @cuviper @kinnison @pietroalbini

yerke avatar Jul 06 '22 00:07 yerke

I am still aware of companies still using RHEL 6 with direct support from Redhat, so I'd prefer not to disable this just yet.

kinnison avatar Jul 16 '22 10:07 kinnison