[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #33751 [Internal Services/Tor Sysadmin Team]: WKD: Error running auto-key-locate wkd in Windows 10



#33751: WKD: Error running auto-key-locate wkd in Windows 10
-------------------------------------------------+-------------------------
 Reporter:  ggus                                 |          Owner:  anarcat
     Type:  defect                               |         Status:  closed
 Priority:  High                                 |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 i reverted our ciphersuite change, please see if it fixes the problem for
 you.

 {{{
 commit 6cc23ac7ee461cd14cad96da2344f3c797fa9df5 (HEAD -> master,
 origin/master, origin/HEAD)
 Author: Antoine Beaupré <anarcat@xxxxxxxxxx>
 Date:   Fri Mar 27 17:03:27 2020 -0400

     Revert "Update SSL preferences and disable TLS 1 and 1.1 in apache re:
 #32351"

     This causes problems with GnuPG as a WKD client on windows, see #33751

     This reverts commit c5278f3562d8c6e8d05a0bc0f74ef17bd397e2e7.

 diff --git a/modules/apache2/templates/puppet-conf.erb
 b/modules/apache2/templates/puppet-conf.erb
 index 1f5583e9..4924b3a5 100644
 --- a/modules/apache2/templates/puppet-conf.erb
 +++ b/modules/apache2/templates/puppet-conf.erb
 @@ -1,11 +1,15 @@
  <IfModule mod_ssl.c>
 -  # this is a list that seems suitable as of 2020-03, when running buster
 -  # (Debian 10).  It probably requires re-visiting regularly.
 -  # 2020-03-11
 -  #  https://ssl-
 config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.4
 -  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
 -  SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128
 -GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
 :ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128
 -GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 -  SSLHonorCipherOrder     off
 +  SSLProtocol all -SSLv2 -SSLv3
 +  SSLHonorCipherOrder On
 +
 +  # this is a list that seems suitable as of 2014-10, when running
 wheezy.  It
 +  # probably requires re-visiting regularly.
 +  # 2018-07-17
 +  #  https://mozilla.github.io/server-side-tls/ssl-config-
 generator/?server=apache-2.4.25&openssl=1.0.2l&hsts=yes&profile=intermediate
 +  #  https://mozilla.github.io/server-side-tls/ssl-config-
 generator/?server=apache-2.4.25&openssl=1.1.0&hsts=no&profile=intermediate
 +  #
 +  # https://trac.torproject.org/projects/tor/ticket/32351
 +  SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-
 CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
 SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-
 AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256
 :ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384
 :ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA
 :ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-
 AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-
 CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-
 SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

    <%- if has_variable?("apache2deb9") && ((@apache2deb9.kind_of?(String)
 and @apache2deb9 == "true") or (@apache2deb9.kind_of?(TrueClass))) -%>
      SSLUseStapling On
 }}}

 i made a note in #32351 so that we test on windows before the next
 attempt.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33751#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs