oss-sec mailing list archives
Re: rubygems insecure download (and other problems)
From: Reed Loden <reed () reedloden com>
Date: Thu, 15 Aug 2013 01:11:47 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 14 Aug 2013 14:59:12 -0600 Kurt Seifried <kseifried () redhat com> wrote:
Problem #2: it redirects to production.cf.rubygems.org which is on cloudfront so has certificate mismatch, so either users have to accept insecurity, or... well there is no second choice =(. https://www.ssllabs.com/ssltest/analyze.html?d=production.cf.rubygems.org
It only does that if you use http://. If you use https://rubygems.org, it goes through S3 directly (https://s3.amazonaws.com/production.s3.rubygems.org/) See this code: https://github.com/rubygems/rubygems-aws/blob/master/chef/site-cookbooks/rubygems/templates/default/nginx_balancer.conf.erb I do wish they would fix their cipher suite choices, though. :/ ~reed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlIMjUMACgkQa6IiJvPDPVr9pACfcbDy0A0NtHZbXfLgkzahGPsU +tMAn0g7YtbhyA7e7sGuFNudJNkKlae5 =J+1x -----END PGP SIGNATURE-----
Current thread:
- Re: HTTPS, (continued)
- Re: HTTPS Kurt Seifried (Aug 15)