What can I do to use TLS 1.2?

AchillesGH · 2024-10-08 06:43:35

I tried installing rust (through the official way) using
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

However I get this warning:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
info: downloading installer
Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure
Warning: Not enforcing TLS v1.2, this is potentially less secure

The installation did go through but I'm concerned if my system exposed to any vulnerabilities.
I'm on manually installed arch linux.
Open SSL Version: OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)
Curl Version:
curl 8.10.1 (x86_64-pc-linux-gnu) libcurl/8.10.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.0 nghttp2/1.63.0 nghttp3/1.6.0
Release-Date: 2024-09-18
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

How can I prevent this warning? i.e my fixing it?

Lone_Wolf · 2024-10-08 11:15:00

That command has atleast 2 issues :
using TLS 1.2 instead of TLS 1.3
executing code downloaded from the internet without checking what the code does .

The arch wiki recommends another command, see https://wiki.archlinux.org/title/Rust#U … ion_script

cryptearth · 2024-10-08 13:14:25

you? not at all
https://www.ssllabs.com/ssltest/analyze … .25&latest
it's a warning about the server supporting TLS1.1
as the servername SH suggest it's likely designed to provide simple shell scripts maybe for embedded systems
although everything should support 1.2 as 1.1 was only short lived it seems that the hoster has some reason to support TLSv1.1 - likely to allow for some weak ciphers not allowed in 1.2
nvm - see next post
message comes from checking wget and curl commands:

downloader() {
    # zsh does not split words by default, Required for curl retry arguments below.
    is_zsh && setopt local_options shwordsplit

    local _dld
    local _ciphersuites
    local _err
    local _status
    local _retry
    if check_cmd curl; then
        _dld=curl
    elif check_cmd wget; then
        _dld=wget
    else
        _dld='curl or wget' # to be used in error message of need_cmd
    fi

    if [ "$1" = --check ]; then
        need_cmd "$_dld"
    elif [ "$_dld" = curl ]; then
        check_curl_for_retry_support
        _retry="$RETVAL"
        get_ciphersuites_for_curl
        _ciphersuites="$RETVAL"
        if [ -n "$_ciphersuites" ]; then
            _err=$(curl $_retry --proto '=https' --tlsv1.2 --ciphers "$_ciphersuites" --silent --show-error --fail --location "$1" --output "$2" 2>&1)
            _status=$?
        else
            echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
            if ! check_help_for "$3" curl --proto --tlsv1.2; then
                echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
                _err=$(curl $_retry --silent --show-error --fail --location "$1" --output "$2" 2>&1)
                _status=$?
            else
                _err=$(curl $_retry --proto '=https' --tlsv1.2 --silent --show-error --fail --location "$1" --output "$2" 2>&1)
                _status=$?
            fi
        fi
        if [ -n "$_err" ]; then
            echo "$_err" >&2
            if echo "$_err" | grep -q 404$; then
                err "installer for platform '$3' not found, this may be unsupported"
            fi
        fi
        return $_status
    elif [ "$_dld" = wget ]; then
        if [ "$(wget -V 2>&1|head -2|tail -1|cut -f1 -d" ")" = "BusyBox" ]; then
            echo "Warning: using the BusyBox version of wget.  Not enforcing strong cipher suites for TLS or TLS v1.2, this is potentially less secure"
            _err=$(wget "$1" -O "$2" 2>&1)
            _status=$?
        else
            get_ciphersuites_for_wget
            _ciphersuites="$RETVAL"
            if [ -n "$_ciphersuites" ]; then
                _err=$(wget --https-only --secure-protocol=TLSv1_2 --ciphers "$_ciphersuites" "$1" -O "$2" 2>&1)
                _status=$?
            else
                echo "Warning: Not enforcing strong cipher suites for TLS, this is potentially less secure"
                if ! check_help_for "$3" wget --https-only --secure-protocol; then
                    echo "Warning: Not enforcing TLS v1.2, this is potentially less secure"
                    _err=$(wget "$1" -O "$2" 2>&1)
                    _status=$?
                else
                    _err=$(wget --https-only --secure-protocol=TLSv1_2 "$1" -O "$2" 2>&1)
                    _status=$?
                fi
            fi
        fi
        if [ -n "$_err" ]; then
            echo "$_err" >&2
            if echo "$_err" | grep -q ' 404 Not Found$'; then
                err "installer for platform '$3' not found, this may be unsupported"
            fi
        fi
        return $_status
    else
        err "Unknown downloader"   # should not reach here
    fi
}

Last edited by cryptearth (2024-10-08 20:37:30)

loqs · 2024-10-08 13:57:37

The warning comes from the script that is downloaded from sh.rustup.rs not from curl. The script's warning appears to be triggered when it can not set a custom cipher specification for the script to download from static.rust-lang.org.

swsnr · 2024-10-08 18:44:17

It's perhaps worth pointing out that the extra repo includes rustup, see https://archlinux.org/packages/extra/x86_64/rustup/

Arch Linux

#1 2024-10-08 06:43:35

What can I do to use TLS 1.2?

#2 2024-10-08 11:15:00

Re: What can I do to use TLS 1.2?

#3 2024-10-08 13:14:25

Re: What can I do to use TLS 1.2?

#4 2024-10-08 13:57:37

Re: What can I do to use TLS 1.2?

#5 2024-10-08 18:44:17

Re: What can I do to use TLS 1.2?

Board footer