Drop TLS1.1 from sh/rustup.rs server

[BryanQuigley]

https://www.hardenize.com/report/rustup.rs/1606542595#www_tls
https://www.ssllabs.com/ssltest/analyze.html?d=sh.rustup.rs

Disable TLS1.1 if you can. Although this may create issues for CentOS6/RHEL6 currently in extended support mode.

Notes
No major browser should be using it now and the script should generally be enforcing tls1.2.

[kinnison]

I'm not sure if we have any control over the server's SSL support since it's cloudfront/AWS I think. @pietroalbini Do you know about this?

Even if we do support it, I know people use CentOS6 as a CI base platform so we shouldn't turn it off without some kind of backup plan for those users.

[pietroalbini]

It's possible to disable it on Cloudfront, not sure if we want to break CentOS/RHEL though. cc @cuviper

[BryanQuigley]

I was wrong about CentOS 6 - it appears a simple upgrade should let it get TLS1.2 - and if they haven't at this point that's very bad for them:
https://status.yubico.com/2019/01/08/centos-6-and-tls1-2/

I believe just setting TLSv1.2_2018 would do it -
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy

[kinnison]

Oh interesting, that's useful to know. I assume similar exists for RHEL given their close connection to each other then.

[cuviper]

Yes, the change would have happened in RHEL6 first, then rebuilt for CentOS6. AFAIK this should be fine, but if there's any way to provide it on a test server first, I can try it out.

The other Linux baseline is SLE11-SP4, and it sounds like they have a solution, but it's complicated for openssl:
https://www.suse.com/c/introducing-the-suse-linux-enterprise-11-security-module/

[yerke]

Disclaimer: I stumbled on this issue by accident, and I am not an expert in cryptography.

In case it's helpful, I wanted to point out EOL for CentOS 6 and RHEL 6 ended in November 2020. Maybe it's ok to disable TLS 1.1 now?

cc @cuviper @kinnison @pietroalbini

[kinnison]

I am still aware of companies still using RHEL 6 with direct support from Redhat, so I'd prefer not to disable this just yet.

[ms-ati]

Hello from Dec 2022! Just wondering, should an explicit threshold be defined for when TLS 1.1 will be disabled?

Wondering if it might be June 30, 2024, corresponding to the end of Extended life cycle support (ELS) add-on for RHEL 6 as listed here: https://access.redhat.com/support/policy/updates/errata ?

[rami3l]

It's possible to disable it on Cloudfront, not sure if we want to break CentOS/RHEL though. cc @cuviper

@pietroalbini Are we still doing TLS 1.1 on rustup.sh, or this can be safely closed now?

[djc]

Per SSLLabs (https://www.ssllabs.com/ssltest/analyze.html?d=sh.rustup.rs) this is still an issue.

Note that both rustup-init.sh in most setups (wget and curl, except with wget provided by busybox) and rustup itself (with the rustls backend, which is the default on master) disable TLS 1.1.