bugs.python.org still stuck on deprecated and insecure TLS 1.0 resulting in SSL_ERROR_UNSUPPORTED_VERSION on clients with POODLE mitigations

[CAM-Gerlach]

On the same general topic and scope as #4 (TLS problems with bugs.python.org) but not the same issue, so reported here—hopefully this is the right place.

To help mitigate POODLE and similar attacks, I've had TLS 1,0 disabled in my browser for a long time now. To my shock, despite not having a problem with such on virtually every other site of significance, I received a SSL_ERROR_UNSUPPORTED_VERSION error when attempting to load bugs.python.org. Sure enough, when I re-enabled it to test, the site was indeed using TLS 1.0.

I've always strongly the PSF's efforts to get the community ported over to Python 3 on a reasonable schedule and as a member of the core dev team of Spyder, the premiere open-source data science IDE for and in Python, I've spearheaded the effort to plan for dropping Py2.7 support entirely on or before the PSF EOL deadline. Therefore, it is simply inconceivable to me why its very own bug tracker site doesn't support, much less enforce, a standard (TLS 1.1) finalized well over two and a half years before Python 3's first release and over four before Py2.7; even TLS 1.2, still the current standard, was released several months before Python 3 and several years before Python 2.7. This is particularly jarring since this is an incremental infrastructure upgrade, rather than a major porting effort involving every line of code, and rather than just being out of date is acutely vulnerable to real-world attacks.

Therefore, it seems rather pressing that the site migrate to a modern SSL library that supports secure versions of TLS, i.e. 1,2, as soon as practicable. Unfortunately, I won't be able to be of much help effecting that as I'm a scientist first, a programmer second and a DevOps specialist...well, really not at all, but I wanted to surface the issue so those responsible were aware. Thanks!

[CAM-Gerlach]

Also, I neglected to point out the obvious, but many security-conscious users might have set security.tls_version.min to 3 in Firefox like I did (as many resources have recommended for some time now), rendering the site completely unavailable to such users without downgrading their security. Further, this will eventually become the default, thus breaking the site entirely for anyone using Firefox (and any other browsers that follow suit).

[pradyunsg]

From #4 (comment), I think you should be able to use "www.bugs.python.org" instead.

[CAM-Gerlach]

@pradyunsg Indeed, this works—thanks! Is there a cogent plan to eventually redirect (or deprecate) the legacy URL, like with the PyPI Warehouse migration? When googling the link to the bug tracker or finding it various places, it is the old non-www link that is still overwhelmingly dominant.

[ewdurbin]

This will be resolved shortly as we complete the migration to new hosting infra.

[CAM-Gerlach]

@ewdurbin Great, thanks!

[Darkspirit]

https://www.ssllabs.com/ssltest/analyze.html?d=bugs.python.org
https://www.hardenize.com/report/bugs.python.org/1538222484#www_tls

[ewdurbin]

migration complete. TLS for bugs.python.org should be A rating now!