https://git.zx2c4.com Ubuntu trusty cipher compatibility
brad at shub-internet.org
Mon Sep 4 23:41:11 CEST 2017
On Aug 29, 2017, at 9:06 PM, Svend Sorensen <svend at svends.net> wrote:
> The ciphers used by https://git.zx2c4.com are not compatible with
> Ubuntu trusty's git/gnutls. Since this is the version of Ubuntu run by
> the Melpa Emacs package archive (https://melpa.org/), the
> password-store Emacs package is not getting updated there. The
> discussion with the Melpa team about the issue is here:
> Would it be possible to enable one of the ciphers that Ubuntu trusty
So, we know we don't want to support any NULL, ARCFOUR (RC4), EXPORT, or MD5 algorithms. We also don't want to allow SRP, PSK, or DSS algorithms. Nor single DES. 3DES is arguable, at best. SHA1 has also been deprecated. See <https://cipherli.st/> for some information on this subject.
Given the above, we can greatly reduce the list of algorithms that should perhaps be supported to the following:
TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40
TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a
TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67
TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b
TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c
TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d
The CBC algorithms aren't the best, we would prefer GCM instead. But of the entire list you presented, these are probably the least bad algorithms we could choose from.
Note that the site in question seems to use exclusively elliptic-curve (EC) algorithms, according to the page at <https://www.ssllabs.com/ssltest/analyze.html?d=git.zx2c4.com&s=126.96.36.199>.
Sadly, trusty is pretty ancient these days, and it's going to have to be abandoned by the community sooner rather than later.
That is, unless the developers can update it somehow to support more modern algorithms.
Brad Knowles <brad at shub-internet.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 832 bytes
Desc: Message signed with OpenPGP
More information about the Password-Store