Feature #11815
Have Tails::Download::HTTPS require TLS 1.2+
100%
Description
We currently set CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1
. In Jessie, CURL_SSLVERSION_TLSv1_2
should be supported, and the websites we use this class for (i.e. our own one) support TLS 1.2. This will affect Tails Upgrader and (once Feature #11810 is done) tails-security-check
. The diff is trivial, we simply need to test that it actually works, and build a new tails-perl5lib
package.
Subtasks
History
#1 Updated by intrigeri 2018-10-30 07:06:51
- related to
Feature #14588: Self-host our website added
#2 Updated by intrigeri 2018-11-17 17:23:42
- Status changed from Confirmed to In Progress
- Assignee set to segfault
- Target version set to Tails_3.12
- % Done changed from 0 to 30
- QA Check set to Ready for QA
- Feature Branch set to perl5lib:feature/11815-tls-1.2
Tested only by patching the relevant 2 lines in a running Tails, restarted the 2 systemd --user
services that use this code (tails-security-check.service
, tails-upgrade-frontend.service
), made sure they worked fine.
If you’re happy with the branch, please merge into perl5lib:master then I’ll do a release, build a package, upload to an APT overlay suite, and make sure our test suite still passes before merging this into tails.git:devel.
#3 Updated by intrigeri 2019-01-04 15:20:56
- Assignee deleted (
segfault)
#4 Updated by lamby 2019-01-06 14:51:08
- Assignee set to intrigeri
- QA Check changed from Ready for QA to Pass
LGTM. I can’t seem to push to master
here though so you will have to do the merge (it fast-forwards so not a problem…)
I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.
#5 Updated by hefee 2019-01-06 15:31:11
lamby wrote:
> LGTM. I can’t seem to push to master
here though so you will have to do the merge (it fast-forwards so not a problem…)
>
> I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.
Checked with @intrigeri by hand the two scripts (tails-security-check.service, tails-upgrade-frontend.service), that are affected. We made sure, that the scripts fail if the patch would add wired stuff and that jenkins will also check the outcomes.
#6 Updated by intrigeri 2019-01-06 16:15:17
- % Done changed from 30 to 60
- QA Check changed from Pass to Ready for QA
Released + uploaded 2.0.2-1 to our feature-11815-tls-1.2
overlay. Let’s see what Jenkins thinks.
#7 Updated by intrigeri 2019-01-07 08:18:27
- Status changed from In Progress to Fix committed
- % Done changed from 60 to 100
Applied in changeset commit:tails|8e08104e3fecc669d9a74ac0b9c007a79c4c3ad4.
#8 Updated by intrigeri 2019-01-07 08:18:55
- Assignee deleted (
intrigeri) - QA Check changed from Ready for QA to Pass
#9 Updated by anonym 2019-01-30 11:47:47
- Status changed from Fix committed to Resolved