Closed tirz closed 4 years ago
Thanks for continuing this. I suggest using the modern name "TLS" where possible rather than the obsolete "SSL" (though I would mention both in the documentation in case some people might have heard only of "SSL").
This looks like great stuff, but is something going on with Travis? Four days and no report?
maybe a github issue, it looks like everything is clear here: https://travis-ci.org/github/aatxe/irc/builds/667572920
just restarted it and hopefully it'll report correctly this time
oh, @tirz, can you also add to the travis configuration a build setup for using the rustls backend? that's definitely something we want to be part of continuous integration.
@aatxe
All connections to irc.pdgn.co
return an AlertReceived(HandshakeFailure)
while enabled the feature tls-rust
(because it is not able to find a supported cipher) :/
The simplest fix should be to use another irc network for the examples. Unfortunatly it will make build-bot.rs
useless.
So we may force the use of the feature tls-native
for the example build-bot.rs
?
Another option will be to follow https://github.com/ctz/rustls/issues/259#issuecomment-502267249 which recommend to enabled a cipher suite with elliptic curves on the server irc.pdgn.co
side.
running nmap --script ssl-enum-ciphers -p 6697 irc.pdgn.co
:
...
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_IDEA_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| 64-bit block cipher IDEA vulnerable to SWEET32 attack
| Broken cipher RC4 is deprecated by RFC 7465
| Ciphersuite uses MD5 for message integrity
...
Note: OFTC seems to use ECDHE-RSA-AES256-GCM-SHA384
by default (supported by rutls).
Suggestion: disable all cipher with grade C.
Continuity of https://github.com/aatxe/irc/pull/151
tls-native
andtls-rust
.use_tls
fromconfig.rs
if TLS is disabled: -- We should prefer a compile error instead of a fakeconfig.use_tls()
which always return false. Another alternative may be to put anunimplemented!()
macro.