Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deprecated crypto defaults #44

Closed
eslerm opened this issue Jan 17, 2024 · 3 comments
Closed

deprecated crypto defaults #44

eslerm opened this issue Jan 17, 2024 · 3 comments

Comments

@eslerm
Copy link
Member

eslerm commented Jan 17, 2024

I am unsure if this issue belongs here or just as a note for Security reviewers in https://git.launchpad.net/ubuntu-security-tools/tree/audits/workflow.template#n219

Spec FO152 (pending) aims to disable TLS 1.0 and 1.1 by default, as these were deprecated by RFC 8996 in 2021. If a MIR package uses TLS/SSL the owning team should be responsible for spec compliance.
@adrien-n
Copy link

adrien-n commented Jan 17, 2024
edited
Loading

I typically use sslscan to assess which protocols and ciphers are enabled. Its colored output is not normed but is a good start if you don't know what you're looking at. :)
Just follow the packages' docs on how to enable TLS and use the "snakeoil" certs generated by the "ssl-cert" package.

See the screenshots below for examples. As you see, it's easy to spot TLS 1.0 and 1.1 being enabled. :)

sslscan ubuntu.com

sslscan-ubuntu com

sslscan example.org

sslscan-example com

Of course, with a snakeoil cert, the SSL certificate won't be considered valid but you shouldn't take that into account, that's expected.

@cpaelzer
Copy link
Collaborator

I feel we should place a hint that this is expected in the submitters template (for awareness) but the check would IMHO live best in the note for Security reviewers that @eslerm mentioned.

Let us discuss and conclude the way forward in the next MIR team meeting.

@eslerm eslerm mentioned this issue Jan 24, 2024
Closed
@eslerm
Copy link
Member Author

eslerm commented Jan 24, 2024
edited
Loading

Thanks @cpaelzer. A light hint so that owning teams knows what to expect sounds perfect. Is that hint okay as a soft check? #45

A more in-depth check will be performed by the Security team.

cpaelzer added a commit that referenced this issue Jan 31, 2024
@cpaelzer @eslerm
add deprecated crypto check
8597fb9 
While security has to check it, submitters and reviewers should
be aware and might help to flag something early.

Fixes: #44

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Co-Authored-by: Mark Esler <mark.esler@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add deprecated crypto check eslerm/ubuntu-mir
3 participants
@adrien-n @cpaelzer @eslerm