rustup
rustup copied to clipboard
Drop TLS1.1 from sh/rustup.rs server
https://www.hardenize.com/report/rustup.rs/1606542595#www_tls https://www.ssllabs.com/ssltest/analyze.html?d=sh.rustup.rs
Disable TLS1.1 if you can. Although this may create issues for CentOS6/RHEL6 currently in extended support mode.
Notes No major browser should be using it now and the script should generally be enforcing tls1.2.
I'm not sure if we have any control over the server's SSL support since it's cloudfront/AWS I think. @pietroalbini Do you know about this?
Even if we do support it, I know people use CentOS6 as a CI base platform so we shouldn't turn it off without some kind of backup plan for those users.
It's possible to disable it on Cloudfront, not sure if we want to break CentOS/RHEL though. cc @cuviper
I was wrong about CentOS 6 - it appears a simple upgrade should let it get TLS1.2 - and if they haven't at this point that's very bad for them: https://status.yubico.com/2019/01/08/centos-6-and-tls1-2/
I believe just setting TLSv1.2_2018 would do it - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy
Oh interesting, that's useful to know. I assume similar exists for RHEL given their close connection to each other then.
Yes, the change would have happened in RHEL6 first, then rebuilt for CentOS6. AFAIK this should be fine, but if there's any way to provide it on a test server first, I can try it out.
The other Linux baseline is SLE11-SP4, and it sounds like they have a solution, but it's complicated for openssl: https://www.suse.com/c/introducing-the-suse-linux-enterprise-11-security-module/
Disclaimer: I stumbled on this issue by accident, and I am not an expert in cryptography.
In case it's helpful, I wanted to point out EOL for CentOS 6 and RHEL 6 ended in November 2020. Maybe it's ok to disable TLS 1.1 now?
cc @cuviper @kinnison @pietroalbini
I am still aware of companies still using RHEL 6 with direct support from Redhat, so I'd prefer not to disable this just yet.