torproject.org using insecure ciphers/protocols (SSLv3, 3DES and RC4)
I just tried to update Tor Browser in Whonix on Qubes OS and got this error: "curl_status_message: [35] - [SSL connect error. The SSL handshaking failed.]".
I looked at it a bit closer and it looks like https://www.torproject.org is currently using insecure ciphers.
openssl s_client -connect www.torproject.org:443
…
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: DD04CBDA08AEFB17B0DCF3696B4D09DE761F150E4886E33AB5334B4F1EBD7575
Session-ID-ctx:
Master-Key: 99B55DE1DB5319DC11D12C19C4DD1B3A1534331E4FB4E7C14A3C93628E068D970A0F493ED0EB878FA4E183F8F6656A4E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1519601291
Timeout : 300 (sec)
Verify return code: 0 (ok)
Firefox Nightly tells me the cipher in use is:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
And https://www.ssllabs.com/ssltest/analyze.html?d=www.torproject.org tells me:
protocols:
Protocols
TLS 1.3 No
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 INSECURE Yes
ciphers:
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK 112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
Trac:
Username: pege