Skip to content

GitLab

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Trac@tracbot

torproject.org using insecure ciphers/protocols (SSLv3, 3DES and RC4)

I just tried to update Tor Browser in Whonix on Qubes OS and got this error: "curl_status_message: [35] - [SSL connect error. The SSL handshaking failed.]".

I looked at it a bit closer and it looks like https://www.torproject.org is currently using insecure ciphers.

openssl s_client -connect www.torproject.org:443

Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: DD04CBDA08AEFB17B0DCF3696B4D09DE761F150E4886E33AB5334B4F1EBD7575
    Session-ID-ctx: 
    Master-Key: 99B55DE1DB5319DC11D12C19C4DD1B3A1534331E4FB4E7C14A3C93628E068D970A0F493ED0EB878FA4E183F8F6656A4E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519601291
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Firefox Nightly tells me the cipher in use is:

TLS_RSA_WITH_3DES_EDE_CBC_SHA

And https://www.ssllabs.com/ssltest/analyze.html?d=www.torproject.org tells me:

protocols:

Protocols
TLS 1.3 	No
TLS 1.2 	No
TLS 1.1 	No
TLS 1.0 	Yes
SSL 3   INSECURE 	Yes

ciphers:

TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE 	128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE 	128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK 	112
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK 	256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 	128

Trac:
Username: pege

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information