Ubuntu 14.04: Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure

[yerke]

Problem

@rbtcollins suggested I file this issue in rust-lang/www.rust-lang.org#1823.

On stock Ubuntu 14.04 LTS (which has extended security maintenance until 2024-04-25) that comes with curl 7.35.0 I see:

Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure
Warning: Not enforcing TLS v1.2, this is potentially less secure

Those warnings happen whether you add or not --proto '=https' --tlsv1.2 as currently recommended in https://github.com/rust-lang/www.rust-lang.org/blob/961dcbda8dff80eb19dd046d3e748d054e6b39d1/templates/components/tools/rustup.html.hbs#L20 and

rustup/www/index.html

Line 31 in 843459f

<pre class="rustup-command">curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh</pre>

I want to point out that rust-init.sh is correct in printing out those warnings. curl 7.35.0 that comes with stock Ubuntu 14.04 shows that it only support --tlsv1 when I look at the options using curl --help all as rust-init.sh does.

According to https://launchpad.net/ubuntu/trusty/+source/curl, 7.35.0 is indeed the latest version available for Ubuntu 14.04. Running sudo apt-get upgrade curl didn't change the result.

Disclaimer: I do not use Ubuntu 14.04 for anything, nor do I expect anyone reasonable to use that ancient version. I just looked up the oldest version of Ubuntu somebody might be using while researching for the PR I linked above and I was specifically looking to trigger that warning / take the corresponding code path.

Steps

1. Install Ubuntu 14.04 LTS
2. Try to install Rust with rustup: curl https://sh.rustup.rs -sSf | sh

Possible Solution(s)

Do nothing. I think those warnings are expected in this case.

Notes

No response

Rustup version

Not applicable. We are trying to execute https://github.com/rust-lang/rustup/blob/843459f893091f89b2dd5c7a977da1b3eb28df1b/rustup-init.sh instead.

Installed toolchains

Not applicable.

[rbtcollins]

Thank you @yerke. Since this is correctly telling us about a security gap, I don't think we have a concrete problem per se. Though perhaps we should document that older curls will error when given --tlsv1.2 for the initial script download - and what that means.

[djc]

@sam-mix that's probably a duplicate of #4045?

[rami3l]

@djc Nice catch!

BTW I think we can close this issue as outdated/stale?

[sam-mix]

pacman -R rust
pacman -S --needed --noconfirm rustup
rustup default stable

It is work for me.
I am just curious.

[sam-mix]

export RUSTUP_TLS_CIPHERSUITES="TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECD
SA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-A
ES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"

It work.

[sam-mix]

@sam-mix that's probably a duplicate of #4045?

Thank you.

[rami3l]

@djc Nice catch!

BTW I think we can close this issue as outdated/stale?

@rbtcollins said:

In fact thinking about it, whatever platform you're on, please file a bug on rustup about seeing that warning, so we can discuss how to get you integrity protection over both the installer and rustup itself.

rust-lang/www.rust-lang.org#1823 (comment)

As we'd definitely like to see one thread per specific platform to prevent this thread from going too off-topic (and for something like Arch Linux + recent cURL, it should be #4045 instead of here), I'm closing this issue as stale.

If you have encountered similar problems, please feel free to file a new issue!

PS: As for Ubuntu, we have gone past the point of 2024-04-25, and I checked https://launchpad.net/ubuntu/+source/curl and have confirmed by unpacking the .deb file and look for curl.1 that on Ubuntu 16.04 LTS (Xenial) we have --tlsv1.2 in cURL.