>From address@hidden Thu Jul 14 06:13:58 2016 Date: Thu, 14 Jul 2016 06:13:58 +0000 From: Juuso Lapinlampi To: address@hidden Cc: address@hidden Subject: HSTS policy on gnu.org prevents loading *.savannah.gnu.org Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Status: RO Content-Length: 473 Lines: 16 gnu.org enforces a HSTS policy with includeSubDomains. The following subdomains however do not support HTTPS: git.savannah.gnu.org vcs.savannah.gnu.org bzr.savannah.gnu.org It is thus not possible to browse the source code in HSTS-enforcing user-agents. savannah.gnu.org links to these subdomains with "browse source repository". Please apply one of the following fixes: 1. Add HTTPS support to *.savannah.gnu.org; or 2. Modify the HSTS policy on gnu.org. >From address@hidden Thu Jul 14 17:17:49 2016 Return-Path: address@hidden Delivered-To: address@hidden Received: from rt.gnu.org (rt.gnu.org [74.94.156.213]) by mail.partyvan.eu (OpenSMTPD) with ESMTPS id 69378bb0 TLS version=TLSv1 cipher=AES256-SHA bits=256 verify=NO for ; Thu, 14 Jul 2016 17:17:49 +0000 (UTC) Received: from www-data by rt.gnu.org with local (Exim 4.69) (envelope-from ) id 1bNkGg-0001TS-8h for address@hidden; Thu, 14 Jul 2016 13:17:46 -0400 Subject: [gnu.org #1127678] HSTS policy on gnu.org prevents loading *.savannah.gnu.org From: "Lisa Maginnis via RT" Reply-To: address@hidden In-Reply-To: References: Message-ID: Precedence: bulk X-RT-Loop-Prevention: gnu.org RT-Ticket: gnu.org #1127678 Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/) RT-Originator: address@hidden To: address@hidden MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-RT-Original-Encoding: utf-8 Date: Thu, 14 Jul 2016 13:17:46 -0400 Status: RO X-Status: A Content-Length: 511 Lines: 21 Hello, Thank you for this report. I have removed the `subdomain' directive from our HSTS header on gnu.org. This should resolve the issue for you (pending clearing your browser cache in some cases). In the mean time I have also contacted the Savannah team about configuring SSL the domains you listed. Thanks & Happy hackingz, -- ~Lisa Marie Maginnis Senior System Administrator Free Software Foundation http://fsf.org http://gnu.org GPG Key: 61EEC710 Support our infrastructure! https://donate.fsf.org >From address@hidden Thu Jul 14 17:31:01 2016 Date: Thu, 14 Jul 2016 17:31:01 +0000 From: Juuso Lapinlampi To: Lisa Maginnis via RT Subject: Re: [gnu.org #1127678] HSTS policy on gnu.org prevents loading *.savannah.gnu.org Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Status: RO Content-Length: 293 Lines: 6 On Thu, Jul 14, 2016 at 01:17:46PM -0400, Lisa Maginnis via RT wrote: > In the mean time I have also contacted the Savannah team about > configuring SSL the domains you listed. All versions of SSL are considered insecure: please do not use them. TLS1.0+ is still considered to be reasonable. >From address@hidden Thu Jul 14 17:38:52 2016 Return-Path: address@hidden Delivered-To: address@hidden Received: from rt.gnu.org (rt.gnu.org [74.94.156.213]) by mail.partyvan.eu (OpenSMTPD) with ESMTPS id 5372322e TLS version=TLSv1 cipher=AES256-SHA bits=256 verify=NO for ; Thu, 14 Jul 2016 17:38:52 +0000 (UTC) Received: from www-data by rt.gnu.org with local (Exim 4.69) (envelope-from ) id 1bNkb3-0001xm-MU for address@hidden; Thu, 14 Jul 2016 13:38:49 -0400 Subject: [gnu.org #1127678] HSTS policy on gnu.org prevents loading *.savannah.gnu.org From: "Lisa Maginnis via RT" Reply-To: address@hidden In-Reply-To: References: Message-ID: Precedence: bulk X-RT-Loop-Prevention: gnu.org RT-Ticket: gnu.org #1127678 Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/) RT-Originator: address@hidden To: address@hidden MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-RT-Original-Encoding: utf-8 Date: Thu, 14 Jul 2016 13:38:49 -0400 Status: RO Content-Length: 776 Lines: 24 > On Thu, Jul 14, 2016 at 01:17:46PM -0400, Lisa Maginnis via RT wrote: > > In the mean time I have also contacted the Savannah team about > > configuring SSL the domains you listed. > > All versions of SSL are considered insecure: please do not use them. > TLS1.0+ is still considered to be reasonable. In this case I meant TLS1.0+, the FSF has a strict no SSLv2 or SSLv3 policy for hosting HTTPS. Since the exploits BEAST (CVE-2011-3389) and POODLE (CVE-2014-3566) have rendered SSLv2 and SSLv3 obsolete, a lot of people still use the word SSL while meaning TLS. Thank you for your concern, -- ~Lisa Marie Maginnis Senior System Administrator Free Software Foundation http://fsf.org http://gnu.org GPG Key: 61EEC710 Support our infrastructure! https://donate.fsf.org