Issue603

Title update the SSL certificate
Priority urgent Status chatting
Superseder Nosy List berker.peksag, matrixise, mmangoba, ncoghlan, r.david.murray, rouilj
Assigned To Topics

Created on 2016-08-03.00:07:42 by matrixise, last changed 2018-06-09.14:31:40 by berker.peksag.

Messages
msg3123 (view) Author: matrixise Date: 2016-08-03.00:07:42
See this report on https://bugs.python.org

https://www.ssllabs.com/ssltest/analyze.html?d=bugs.python.org&s=2a01%3a4f8%3a131%3a2480%3a0%3a0%3a0%3a3&latest

https://www.ssllabs.com/ssltest/analyze.html?d=bugs.python.org&s=46.4.197.70

Thank you,

Stephane
msg3125 (view) Author: r.david.murray Date: 2016-08-03.16:53:55
Grade: C.

That is pretty uninformative.  Did I miss something?
msg3127 (view) Author: ncoghlan Date: 2016-08-06.14:35:20
I'm not sure why the direct link isn't working, but if you click on the "46.4.197.70" heading it will take you through to the detailed report.

"High"lights:

* This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
* Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings.
* The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
* The server does not support Forward Secrecy with the reference browsers.

Of those, only the SHA1 signature is related to the cert itself - the rest have to do with Upfront's server configuration.
msg3136 (view) Author: r.david.murray Date: 2016-08-09.16:10:44
Well, we can edit the apache server config too.  In fact, I thought I'd done the diffie-hellman fix, but I guess I didn't.

I don't understand the 'cert expires' part, it was renewed in September of 2015.

Is there any reason we couldn't use letsencrypt for bugs?
msg3452 (view) Author: rouilj Date: 2018-06-01.01:03:10
r.david.murray said:

> I don't understand the 'cert expires' part, it was renewed in September of 2015.

You probably know this now but the cert may use an md5 signature which is not recommended for longer lived certs (e.g. post 2015).Sha1 is the preferred signature mode to prevent people from generating a fake cert that matches the md5 signature.

I would say let's encrypt works for certs. While we are at it could you add a subject alt name for issues.roundup-tracker.org so we can change that to https.
msg3473 (view) Author: berker.peksag Date: 2018-06-09.14:31:39
> * The server supports only older protocols, but not the current best TLS 1.2.
> Grade capped to C.

There is an open issue for this item: issue 578

I'm not sure whether we should close that as a duplicate of this one.
History
Date User Action Args
2018-06-09 14:31:40berker.peksagsetnosy: + berker.peksag
messages: + msg3473
2018-06-01 01:03:11rouiljsetnosy: + rouilj
messages: + msg3452
2017-03-27 21:18:49mmangobasetnosy: + mmangoba
2016-08-09 16:10:44r.david.murraysetmessages: + msg3136
2016-08-06 14:35:21ncoghlansetnosy: + ncoghlan
messages: + msg3127
2016-08-03 16:53:55r.david.murraysetstatus: unread -> chatting
nosy: + r.david.murray
messages: + msg3125
2016-08-03 00:07:42matrixisecreate