From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Robert Pluim Newsgroups: gmane.emacs.devel Subject: Re: Getting SSL test A+ grade on elpa.gnu.org Date: Wed, 25 Nov 2020 18:51:15 +0100 Message-ID: <87d001wcj0.fsf@gmail.com> References: <20201125173812.GD1558@odonien.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="22529"; mail-complaints-to="usenet@ciao.gmane.io" Cc: emacs-devel@gnu.org To: =?utf-8?B?6rmA66+87Jqw?= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Wed Nov 25 18:54:15 2020 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1khyze-0005ln-V6 for ged-emacs-devel@m.gmane-mx.org; Wed, 25 Nov 2020 18:54:14 +0100 Original-Received: from localhost ([::1]:35894 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1khyzd-00005d-VY for ged-emacs-devel@m.gmane-mx.org; Wed, 25 Nov 2020 12:54:14 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53422) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1khywx-0005tY-56 for emacs-devel@gnu.org; Wed, 25 Nov 2020 12:51:27 -0500 Original-Received: from mail-wr1-x42b.google.com ([2a00:1450:4864:20::42b]:43191) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1khywp-0004th-AE for emacs-devel@gnu.org; Wed, 25 Nov 2020 12:51:25 -0500 Original-Received: by mail-wr1-x42b.google.com with SMTP id s8so2755646wrw.10 for ; Wed, 25 Nov 2020 09:51:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-followup-to:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version :content-transfer-encoding; bh=+V28A3Gty+0g1+q8kcYm/i576NzsQvtOdk06N2rlRXE=; b=Kv8iuBIv689OB0O1FtIumonG01HT3+jw/eLdtYhyXMxiWysnOUJ4Rwn/Ef/e5refRZ rFJEAcUmY5Q+rhZfF43x635v+G5Cv1pmSgiOkfhajaU7kcIwRkeBu2Ls71N+6tSR5ma7 vWmXm9oV6gMFJ/nFGBhtQ6KVKRhQYj2enltRRQsJkcUF+N/Yu3wxp+i2js2xE/poTuWX Ma4olWlL9RzELcSHZ9HMKi6vVRCEWnfU2j8qR8zrYRBdjrwEuCTOD1k/ES75aeE08pk6 FNmDI8K88SIDDwBRqmP977OmlyLPcdqsM3s5HA3j7tT4SFaEHUcAYxFj4zuaUSL38gNq wHMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-followup-to :mail-copies-to:gmane-reply-to-list:date:in-reply-to:message-id :mime-version:content-transfer-encoding; bh=+V28A3Gty+0g1+q8kcYm/i576NzsQvtOdk06N2rlRXE=; b=FXYFzXyEW85Wb8kqmks4k5mRxbRa1sIF5ciPYpMW14tJvBVzjlBOvh/e9lR9LZhrOa RB9Gnc6VRO/iIurG8x9vFyPDcM0i0xD7pRGPyCVkGUQoanzzEVwpvYYWhk4gkLcuIgPG 5Wt61MixaLS9UZnYztkX3fODS4GNF1sHBMul1ggi62nFfFadaGsUhOOUjXi6f2Sx1Rxt 1dmDTxvs2uYgzGKQ3YDZQ0QJvjySsc9Tsvo6VbJCVOu6NnM/bZi7OOgJIlZkDNHN9D8B 07HEAq/DrhgBI9yuLxe3cKRDkjgS+vc5d2a/FA8jSgtqdGeJaOuFkcMNnqpHRTg2eXAv 4jmg== X-Gm-Message-State: AOAM532Prot/HNO+02p5/LKQXkFgRXr1Dy7KYsiVAB3SZJt1+Qs8QKbj Itr9zlMvKRX2ylImpOztbaXTw3B7bTo= X-Google-Smtp-Source: ABdhPJzRkV6XVKPf//JkKNy+DY9wmr3QfRlTGB2SEId+feIIgtzjxlMyv0R2xCjyGYIutX3W+qSeyg== X-Received: by 2002:a05:6000:11c2:: with SMTP id i2mr5360639wrx.21.1606326677073; Wed, 25 Nov 2020 09:51:17 -0800 (PST) Original-Received: from rltb ([2a01:e34:ecfc:a860:2024:52d3:691c:e83a]) by smtp.gmail.com with ESMTPSA id 2sm6915343wrq.87.2020.11.25.09.51.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Nov 2020 09:51:16 -0800 (PST) Mail-Followup-To: emacs-devel@gnu.org Mail-Copies-To: never Gmane-Reply-To-List: yes In-Reply-To: <20201125173812.GD1558@odonien.localdomain> (Vasilij Schneidermann's message of "Wed, 25 Nov 2020 18:38:12 +0100") Received-SPF: pass client-ip=2a00:1450:4864:20::42b; envelope-from=rpluim@gmail.com; helo=mail-wr1-x42b.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:259795 Archived-At: Vasilij Schneidermann writes: >> It could have a bad effect on security and privacy for emacs users. Would >> you apply only TLS 1.3 on elpa.gnu.org? > > ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting > TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to > successfully establish a connection to GNU ELPA? Right > Another thing to watch out for is the cipher suites. To reach a good > rating several of them need to be disabled and extensive testing is > required to ensure that we don't exclude users from fetching packages > for no apparent reason. The impression I get is that reordering the cipher suite list to put the weak ones at the end might be enough to improve the score. That shouldn't create any compatibility issues (and is a good idea regardless of just 'improving our score'). > Something else I'm curious about, what exactly blocks us from forcing a > HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a > widely used Emacs version or are there others? Are you sure that all the versions of Emacs that connect to elpa.gnu.org work correctly in the face of such a redirect? What about versions that don=CA=BCt support https? Robert