oss-sec mailing list archives

Re: rubygems insecure download (and other problems)

From: Reed Loden <reed () reedloden com>
Date: Thu, 15 Aug 2013 01:11:47 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 14 Aug 2013 14:59:12 -0600
Kurt Seifried <kseifried () redhat com> wrote:

Problem #2:
it redirects to  production.cf.rubygems.org which is on cloudfront so
has certificate mismatch, so either users have to accept insecurity,
or... well there is no second choice =(.

https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org


It only does that if you use http://. If you use https://rubygems.org,
it goes through S3 directly
(https://s3.amazonaws.com/production.s3.rubygems.org/)

See this code:
https://github.com/rubygems/rubygems-aws/blob/master/chef/site-cookbooks/rubygems/templates/default/nginx_balancer.conf.erb

I do wish they would fix their cipher suite choices, though. :/

~reed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlIMjUMACgkQa6IiJvPDPVr9pACfcbDy0A0NtHZbXfLgkzahGPsU
+tMAn0g7YtbhyA7e7sGuFNudJNkKlae5
=J+1x
-----END PGP SIGNATURE-----

Current thread:

Re: HTTPS, (continued)
- - - Re: HTTPS gremlin (Aug 15)
    - Re: HTTPS Donald Stufft (Aug 15)
    - Re: HTTPS Florian Weimer (Aug 15)
    - Re: HTTPS gremlin (Aug 16)
    - Re: HTTPS gremlin (Aug 15)
    - Re: HTTPS Jeremy Stanley (Aug 15)
    - Re: HTTPS gremlin (Aug 16)
    - Re: HTTPS Kurt Seifried (Aug 15)
  - Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
  - Re: HTTPS Alexander Cherepanov (Aug 26)
- Re: rubygems insecure download (and other problems) Reed Loden (Aug 15)