Ubuntu 14.04: Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure

Problem

@rbtcollins suggested I file this issue in https://github.com/rust-lang/www.rust-lang.org/pull/1823.

On stock Ubuntu 14.04 LTS (which has extended security maintenance until 2024-04-25) that comes with curl 7.35.0 I see:

Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure
Warning: Not enforcing TLS v1.2, this is potentially less secure

Those warnings happen whether you add or not --proto '=https' --tlsv1.2 as currently recommended in https://github.com/rust-lang/www.rust-lang.org/blob/961dcbda8dff80eb19dd046d3e748d054e6b39d1/templates/components/tools/rustup.html.hbs#L20 and https://github.com/rust-lang/rustup/blob/843459f893091f89b2dd5c7a977da1b3eb28df1b/www/index.html#L31

I want to point out that rust-init.sh is correct in printing out those warnings. curl 7.35.0 that comes with stock Ubuntu 14.04 shows that it only support --tlsv1 when I look at the options using curl --help all as rust-init.sh does.

According to https://launchpad.net/ubuntu/trusty/+source/curl, 7.35.0 is indeed the latest version available for Ubuntu 14.04. Running sudo apt-get upgrade curl didn't change the result.

Disclaimer: I do not use Ubuntu 14.04 for anything, nor do I expect anyone reasonable to use that ancient version. I just looked up the oldest version of Ubuntu somebody might be using while researching for the PR I linked above and I was specifically looking to trigger that warning / take the corresponding code path.

Steps

Install Ubuntu 14.04 LTS
Try to install Rust with rustup: curl https://sh.rustup.rs -sSf | sh

Possible Solution(s)

Do nothing. I think those warnings are expected in this case.

Notes

No response

Rustup version

Not applicable. We are trying to execute https://github.com/rust-lang/rustup/blob/843459f893091f89b2dd5c7a977da1b3eb28df1b/rustup-init.sh instead.

Installed toolchains

Not applicable.

rust-lang / rustup