search

i2p / i2p.i2p

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.
https://geti2p.net
Other
1.93k stars 303 forks source link

Inadequate Encryption Strength CVE multiables #61

Open s-b-repo opened 9 months ago

s-b-repo commented 9 months ago

if (_log.shouldLog(Log.INFO)) _log.info("Loaded total of " + totalAdds + " new trusted certificates");

    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:430

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎core/java/src/net/i2p/util/SSLEepGet.java]

    return false;
    }
    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

line:141

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎router/java/src/net/i2p/router/client/SSLClientListenerRunner.java]

        // don't continue, since we didn't load the system keystore, we have nothing.
        throw new GeneralSecurityException(msg);
    }

529: SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎core/java/src/net/i2p/util/I2PSSLSocketFactory.java]

   }

    InputStream fis = null;
    try {

198 SSLContext sslc = SSLContext.getInstance("TLS");

Implement secure HTTPS communication. Consider using latest TLSv1.2 instead of javax.net.ssl.SSLContext.getInstance. [‎apps/i2ptunnel/java/src/net/i2p/i2ptunnel/SSLClientUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

163:

[‎apps/sam/java/src/net/i2p/sam/client/SSLUtil.java]

    }

    InputStream fis = null;
    try {
        SSLContext sslc = SSLContext.getInstance("TLS");

162: [‎apps/sam/java/src/net/i2p/sam/SSLUtil.java

learn how to fix https://learn.snyk.io/lesson/insecure-hash/?authenticate=automatic

eyedeekay commented 9 months ago

This is likely not something we can fix in a way which will satisfy the scanner you're using, because of the TLS ladder being pulled up behind .onion services. We have to allow self-signed certificates and we have to silently accept self-signed SSL certificates when they come from I2P hostnames in eepget/ssleepget. However if using a more modern library can satisfy our requirement then maybe it's worth it. Leaving it open for further consideration.

s-b-repo commented 9 months ago

This is likely not something we can fix in a way which will satisfy the scanner you're using, because of the TLS ladder being pulled up behind .onion services. We have to allow self-signed certificates and we have to silently accept self-signed SSL certificates when they come from I2P hostnames in eepget/ssleepget. However if using a more modern library can satisfy our requirement then maybe it's worth it. Leaving it open for further consideration.

why not make a bunch of real certificate hosts bascily people everyone verifies each others certs