Open BryanQuigley opened 3 years ago
kinnison
commented
3 years ago I'm not sure if we have any control over the server's SSL support since it's cloudfront/AWS I think. @pietroalbini Do you know about this?
Even if we do support it, I know people use CentOS6 as a CI base platform so we shouldn't turn it off without some kind of backup plan for those users.
pietroalbini
commented
3 years ago It's possible to disable it on Cloudfront, not sure if we want to break CentOS/RHEL though. cc @cuviper
BryanQuigley
commented
3 years ago I was wrong about CentOS 6 - it appears a simple upgrade should let it get TLS1.2 - and if they haven't at this point that's very bad for them: https://status.yubico.com/2019/01/08/centos-6-and-tls1-2/
I believe just setting TLSv1.2_2018 would do it - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy
kinnison
commented
3 years ago Oh interesting, that's useful to know. I assume similar exists for RHEL given their close connection to each other then.
cuviper
commented
3 years ago Yes, the change would have happened in RHEL6 first, then rebuilt for CentOS6. AFAIK this should be fine, but if there's any way to provide it on a test server first, I can try it out.
The other Linux baseline is SLE11-SP4, and it sounds like they have a solution, but it's complicated for openssl: https://www.suse.com/c/introducing-the-suse-linux-enterprise-11-security-module/
yerke
commented
2 years ago Disclaimer: I stumbled on this issue by accident, and I am not an expert in cryptography.
In case it's helpful, I wanted to point out EOL for CentOS 6 and RHEL 6 ended in November 2020. Maybe it's ok to disable TLS 1.1 now?
cc @cuviper @kinnison @pietroalbini
kinnison
commented
2 years ago I am still aware of companies still using RHEL 6 with direct support from Redhat, so I'd prefer not to disable this just yet.
ms-ati
commented
1 year ago Hello from Dec 2022! Just wondering, should an explicit threshold be defined for when TLS 1.1 will be disabled?
Wondering if it might be June 30, 2024, corresponding to the end of Extended life cycle support (ELS) add-on for RHEL 6 as listed here: https://access.redhat.com/support/policy/updates/errata ?
rami3l
commented
1 month ago It's possible to disable it on Cloudfront, not sure if we want to break CentOS/RHEL though. cc @cuviper
@pietroalbini Are we still doing TLS 1.1 on rustup.sh, or this can be safely closed now?
djc
commented
1 month ago Per SSLLabs (https://www.ssllabs.com/ssltest/analyze.html?d=sh.rustup.rs) this is still an issue.
Note that both rustup-init.sh in most setups (wget and curl, except with wget provided by busybox) and rustup itself (with the rustls backend, which is the default on master) disable TLS 1.1.
cuviper
commented
1 month ago AFAIK, RHEL 6 already had available upgrades for TLS 1.2 when we discussed this before, and it just ended its ELS period anyway. The remaining "Extended Life" support is ongoing, but extremely limited.
cuviper
commented
1 month ago Plus, the project has required glibc 2.17 for a while now, so current rustup builds won't work on RHEL 6 anyway.
https://www.hardenize.com/report/rustup.rs/1606542595#www_tls https://www.ssllabs.com/ssltest/analyze.html?d=sh.rustup.rs
Disable TLS1.1 if you can. Although this may create issues for CentOS6/RHEL6 currently in extended support mode.
Notes No major browser should be using it now and the script should generally be enforcing tls1.2.