On Aug 29, 2017, at 9:06 PM, Svend Sorensen <sv...@svends.net> wrote:
> The ciphers used by https://git.zx2c4.com are not compatible with > Ubuntu trusty's git/gnutls. Since this is the version of Ubuntu run by > the Melpa Emacs package archive (https://melpa.org/), the > password-store Emacs package is not getting updated there. The > discussion with the Melpa team about the issue is here: > > https://github.com/melpa/melpa/issues/4892 > > Would it be possible to enable one of the ciphers that Ubuntu trusty > supports? So, we know we don't want to support any NULL, ARCFOUR (RC4), EXPORT, or MD5 algorithms. We also don't want to allow SRP, PSK, or DSS algorithms. Nor single DES. 3DES is arguable, at best. SHA1 has also been deprecated. See <https://cipherli.st/> for some information on this subject. Given the above, we can greatly reduce the list of algorithms that should perhaps be supported to the following: TLS_DHE_DSS_AES_128_CBC_SHA256 0x00, 0x40 TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS_DHE_RSA_AES_128_CBC_SHA256 0x00, 0x67 TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS_RSA_AES_128_CBC_SHA256 0x00, 0x3c TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d The CBC algorithms aren't the best, we would prefer GCM instead. But of the entire list you presented, these are probably the least bad algorithms we could choose from. Note that the site in question seems to use exclusively elliptic-curve (EC) algorithms, according to the page at <https://www.ssllabs.com/ssltest/analyze.html?d=git.zx2c4.com&s=192.95.5.69>. Sadly, trusty is pretty ancient these days, and it's going to have to be abandoned by the community sooner rather than later. That is, unless the developers can update it somehow to support more modern algorithms. -- Brad Knowles <b...@shub-internet.org>
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Password-Store mailing list Password-Store@lists.zx2c4.com https://lists.zx2c4.com/mailman/listinfo/password-store
