Feature #11815

Have Tails::Download::HTTPS require TLS 1.2+

Added by intrigeri 2016-09-20 04:25:16 . Updated 2019-01-30 11:47:47 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2016-09-20
Due date:
% Done:

100%

Feature Branch:
perl5lib:feature/11815-tls-1.2
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Upgrader
Deliverable for:

Description

We currently set CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1. In Jessie, CURL_SSLVERSION_TLSv1_2 should be supported, and the websites we use this class for (i.e. our own one) support TLS 1.2. This will affect Tails Upgrader and (once Feature #11810 is done) tails-security-check. The diff is trivial, we simply need to test that it actually works, and build a new tails-perl5lib package.


Subtasks


Related issues

Related to Tails - Feature #14588: Self-host our website Resolved 2018-10-03

History

#1 Updated by intrigeri 2018-10-30 07:06:51

#2 Updated by intrigeri 2018-11-17 17:23:42

  • Status changed from Confirmed to In Progress
  • Assignee set to segfault
  • Target version set to Tails_3.12
  • % Done changed from 0 to 30
  • QA Check set to Ready for QA
  • Feature Branch set to perl5lib:feature/11815-tls-1.2

Tested only by patching the relevant 2 lines in a running Tails, restarted the 2 systemd --user services that use this code (tails-security-check.service, tails-upgrade-frontend.service), made sure they worked fine.

If you’re happy with the branch, please merge into perl5lib:master then I’ll do a release, build a package, upload to an APT overlay suite, and make sure our test suite still passes before merging this into tails.git:devel.

#3 Updated by intrigeri 2019-01-04 15:20:56

  • Assignee deleted (segfault)

#4 Updated by lamby 2019-01-06 14:51:08

  • Assignee set to intrigeri
  • QA Check changed from Ready for QA to Pass

LGTM. I can’t seem to push to master here though so you will have to do the merge (it fast-forwards so not a problem…)

I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.

#5 Updated by hefee 2019-01-06 15:31:11

lamby wrote:
> LGTM. I can’t seem to push to master here though so you will have to do the merge (it fast-forwards so not a problem…)
>
> I checked that forcing TLS 1.1 and 1.2 is a feature supported in our curl, but this was added in curl 7.34.0 and that is easily satisfied even in jessie (at least 7.38.0-4) - see this manual page entry for more info.

Checked with @intrigeri by hand the two scripts (tails-security-check.service, tails-upgrade-frontend.service), that are affected. We made sure, that the scripts fail if the patch would add wired stuff and that jenkins will also check the outcomes.

#6 Updated by intrigeri 2019-01-06 16:15:17

  • % Done changed from 30 to 60
  • QA Check changed from Pass to Ready for QA

Released + uploaded 2.0.2-1 to our feature-11815-tls-1.2 overlay. Let’s see what Jenkins thinks.

#7 Updated by intrigeri 2019-01-07 08:18:27

  • Status changed from In Progress to Fix committed
  • % Done changed from 60 to 100

Applied in changeset commit:tails|8e08104e3fecc669d9a74ac0b9c007a79c4c3ad4.

#8 Updated by intrigeri 2019-01-07 08:18:55

  • Assignee deleted (intrigeri)
  • QA Check changed from Ready for QA to Pass

#9 Updated by anonym 2019-01-30 11:47:47

  • Status changed from Fix committed to Resolved