https://git.zx2c4.com Ubuntu trusty cipher compatibility

Brad Knowles brad at shub-internet.org
Mon Sep 4 23:41:11 CEST 2017 

On Aug 29, 2017, at 9:06 PM, Svend Sorensen <svend at svends.net> wrote:

> The ciphers used by https://git.zx2c4.com are not compatible with
> Ubuntu trusty's git/gnutls. Since this is the version of Ubuntu run by
> the Melpa Emacs package archive (https://melpa.org/), the
> password-store Emacs package is not getting updated there. The
> discussion with the Melpa team about the issue is here:
> 
> https://github.com/melpa/melpa/issues/4892
> 
> Would it be possible to enable one of the ciphers that Ubuntu trusty
> supports?

So, we know we don't want to support any NULL, ARCFOUR (RC4), EXPORT, or MD5 algorithms.  We also don't want to allow SRP, PSK, or DSS algorithms.  Nor single DES. 3DES is arguable, at best.  SHA1 has also been deprecated.  See <https://cipherli.st/> for some information on this subject.

Given the above, we can greatly reduce the list of algorithms that should perhaps be supported to the following:

	TLS_DHE_DSS_AES_128_CBC_SHA256                        0x00, 0x40
	TLS_DHE_DSS_AES_256_CBC_SHA256                        0x00, 0x6a
	TLS_DHE_RSA_AES_128_CBC_SHA256                        0x00, 0x67
	TLS_DHE_RSA_AES_256_CBC_SHA256                        0x00, 0x6b
	TLS_RSA_AES_128_CBC_SHA256                            0x00, 0x3c
	TLS_RSA_AES_256_CBC_SHA256                            0x00, 0x3d

The CBC algorithms aren't the best, we would prefer GCM instead.  But of the entire list you presented, these are probably the least bad algorithms we could choose from.

Note that the site in question seems to use exclusively elliptic-curve (EC) algorithms, according to the page at <https://www.ssllabs.com/ssltest/analyze.html?d=git.zx2c4.com&s=192.95.5.69>.


Sadly, trusty is pretty ancient these days, and it's going to have to be abandoned by the community sooner rather than later.

That is, unless the developers can update it somehow to support more modern algorithms.

--
Brad Knowles <brad at shub-internet.org>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170904/430975af/attachment.asc>

More information about the Password-Store mailing list