[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Getting SSL test A+ grade on elpa.gnu.org
|
From: |
Robert Pluim |
|
Subject: |
Re: Getting SSL test A+ grade on elpa.gnu.org |
|
Date: |
Wed, 25 Nov 2020 18:51:15 +0100 |
Vasilij Schneidermann <mail@vasilij.de> writes:
>> It could have a bad effect on security and privacy for emacs users. Would
>> you apply only TLS 1.3 on elpa.gnu.org?
>
> ITYM TLSv1.2 and upwards. Remember how GNU ELPA merely supporting
> TLSv1.3 required Emacs versions older than 26.3 to apply a workaround to
> successfully establish a connection to GNU ELPA?
Right
> Another thing to watch out for is the cipher suites. To reach a good
> rating several of them need to be disabled and extensive testing is
> required to ensure that we don't exclude users from fetching packages
> for no apparent reason.
The impression I get is that reordering the cipher suite list to put
the weak ones at the end might be enough to improve the score. That
shouldn't create any compatibility issues (and is a good idea
regardless of just 'improving our score').
> Something else I'm curious about, what exactly blocks us from forcing a
> HTTP->HTTPS redirect? Is it waiting for Emacs 26.1 and newer to become a
> widely used Emacs version or are there others?
Are you sure that all the versions of Emacs that connect to
elpa.gnu.org work correctly in the face of such a redirect? What about
versions that donʼt support https?
Robert