Feature #11815: Have Tails::Download::HTTPS require TLS 1.2+

Feature #11815

Have Tails::Download::HTTPS require TLS 1.2+

Added by intrigeri 2016-09-20 04:25:16 . Updated 2019-01-30 11:47:47 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_3.12

Start date:

2016-09-20

Due date:

% Done:

100%

Feature Branch:

perl5lib:feature/11815-tls-1.2

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Upgrader

Deliverable for:

Description

We currently set CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1. In Jessie, CURL_SSLVERSION_TLSv1_2 should be supported, and the websites we use this class for (i.e. our own one) support TLS 1.2. This will affect Tails Upgrader and (once ~~Feature #11810~~ is done) tails-security-check. The diff is trivial, we simply need to test that it actually works, and build a new tails-perl5lib package.

Subtasks

Related issues

Related to Tails - ~~Feature #14588~~: Self-host our website

Resolved

2018-10-03

History

#1 Updated by intrigeri 2018-10-30 07:06:51

related to ~~Feature #14588~~: Self-host our website added

#2 Updated by intrigeri 2018-11-17 17:23:42

Status changed from Confirmed to In Progress
Assignee set to segfault
Target version set to Tails_3.12
% Done changed from 0 to 30
QA Check set to Ready for QA
Feature Branch set to perl5lib:feature/11815-tls-1.2

Tested only by patching the relevant 2 lines in a running Tails, restarted the 2 systemd --user services that use this code (tails-security-check.service, tails-upgrade-frontend.service), made sure they worked fine.

If you’re happy with the branch, please merge into perl5lib:master then I’ll do a release, build a package, upload to an APT overlay suite, and make sure our test suite still passes before merging this into tails.git:devel.

#3 Updated by intrigeri 2019-01-04 15:20:56

Assignee deleted (~~segfault~~)

#4 Updated by lamby 2019-01-06 14:51:08

Assignee set to intrigeri
QA Check changed from Ready for QA to Pass

LGTM. I can’t seem to push to master here though so you will have to do the merge (it fast-forwards so not a problem…)

I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.

#5 Updated by hefee 2019-01-06 15:31:11

lamby wrote:
> LGTM. I can’t seem to push to master here though so you will have to do the merge (it fast-forwards so not a problem…)
>
> I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.

Checked with @intrigeri by hand the two scripts (tails-security-check.service, tails-upgrade-frontend.service), that are affected. We made sure, that the scripts fail if the patch would add wired stuff and that jenkins will also check the outcomes.

#6 Updated by intrigeri 2019-01-06 16:15:17

% Done changed from 30 to 60
QA Check changed from Pass to Ready for QA

Released + uploaded 2.0.2-1 to our feature-11815-tls-1.2 overlay. Let’s see what Jenkins thinks.

#7 Updated by intrigeri 2019-01-07 08:18:27

Status changed from In Progress to Fix committed
% Done changed from 60 to 100

Applied in changeset commit:tails|8e08104e3fecc669d9a74ac0b9c007a79c4c3ad4.

#8 Updated by intrigeri 2019-01-07 08:18:55

Assignee deleted (~~intrigeri~~)
QA Check changed from Ready for QA to Pass

#9 Updated by anonym 2019-01-30 11:47:47

Status changed from Fix committed to Resolved