Custom Query (2448 matches)

Following a consideration on ​ticket 3064.

To meet industry standards on SSL/TLS security and to increase security headroom when exposing the Web UI to the Internet, I believe that some changes are required on the transport side.

1. Disable TLS v1.0. Only allow TLS >= v1.1 (​link). All reasonably modern browsers should have no problem with this.

2. Respect certificate x509 extensions, especially key usage

For example: Currently, if keyUsage is set to "critical, digitalSignature", which should forbid plain RSA since that is a keyEncipherment operation, the server will happily still use plain RSA. That is... bad.

3. Enable (only) (elliptic curve or regular) Diffie-Hellman epidermal key exchange cipher suites.

This is necessary to provide Perfect Forward Secrecy. This requires adding DH parameters, but it shouldn't be to hard to generate with dhparams and include it with the distribution or generate it dynamically. Currently there's only plain RSA cipher suites enabled.

4. Tweak cipher list to prefer AES GCM modes and disable MD5/DES/RC4.

More resistant to certain types of attacks. Current list seems to prefer AES CBC for some reason.

(1) and (4) can be trivially done now but might break compatibility with some outdated clients. (2) I don't know about if Twisted even supports. (3) requires a newer version of Twisted than currently in the Trusty repositories.

Hi!

I'm going to try to keep this short. I'm trying to add a certificate chain to the deluge web UI, the subject certificate concatenated with a intermediate certificate, as is standard. I've successfully verified the separate files using the openssl verify" utility.

$ openssl verify -verbose -CAfile root.cert.pem -untrusted intermediate.cert.pem deluge.cert.pem
deluge.cert.pem: OK

However, Firefox gives me an SEC_ERROR_UNKNOWN_ISSUER error. To look at what the server sends my I use:

openssl s_client -CAfile root.cert.pem -connect localhost:8112 -showcerts

Indeed, the output shows the server does not send the intermediate certificate. It seems the deluge web server only sends the first certificate, and skips the rest of the chain. As this has worked correctly in the past, I looked at the git history and the culprit seems to be commit c1902e43, which replaces the code for loading the certificate, specifically

certificate = Certificate.loadPEM(cert.read()).original[/code]
instead of
[code]ctx.use_certificate_chain_file(configmanager.get_config_dir(delugeweb.cert))

As far as I can tell this is an incorrect way to read chain files. Look at the example at ​https://pem.readthedocs.io/en/stable/twisted.html for guidance.

I would fix this myself but I'm sure you that have greater experience with the code can do it much quicker and efficiently.

blocklist execute label notifications stats webui suffer the same issue

12:30:58.941 [ERROR   ][deluge.pluginmanagerbase           :75  ] Failed to start plugin: AutoAdd
Traceback: <type 'exceptions.RuntimeError'>: could not create GladeXML object
twisted/internet/defer.py:150:maybeDeferred
deluge\plugins\init.py:27:enable
build\bdist.win32\egg\deluge\plugins\autoadd\gtkui.py:354:enable

12:30:58.943 [DEBUG   ][deluge.pluginmanagerbase           :61  ] Error when disabling plugin AutoAdd: Traceback (most recent call last):
  File "twisted/internet/defer.py", line 306, in addCallbacks
    
  File "twisted/internet/defer.py", line 588, in _runCallbacks
    
  File "deluge\pluginmanagerbase.py", line 185, in on_started_error
    
  File "deluge\pluginmanagerbase.py", line 209, in disable_plugin
    
--- <exception caught here> ---
  File "twisted/internet/defer.py", line 150, in maybeDeferred
    
  File "deluge\plugins\init.py", line 30, in disable
    
  File "build\bdist.win32\egg\deluge\plugins\autoadd\gtkui.py", line 398, in disable
    
  File "deluge\ui\gtkui\pluginmanager.py", line 47, in deregister_hook
    
exceptions.ValueError: list.remove(x): x not in list