>From address@hidden Thu Jul 14 06:13:58 2016
Date: Thu, 14 Jul 2016 06:13:58 +0000
From: Juuso Lapinlampi <address@hidden>
To: address@hidden
Cc: address@hidden
Subject: HSTS policy on gnu.org prevents loading *.savannah.gnu.org
Message-ID: <address@hidden>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
Status: RO
Content-Length: 473
Lines: 16

gnu.org enforces a HSTS policy with includeSubDomains.

The following subdomains however do not support HTTPS:

    git.savannah.gnu.org
    vcs.savannah.gnu.org
    bzr.savannah.gnu.org

It is thus not possible to browse the source code in HSTS-enforcing
user-agents. savannah.gnu.org links to these subdomains with "browse
source repository".

Please apply one of the following fixes:

1. Add HTTPS support to *.savannah.gnu.org; or
2. Modify the HSTS policy on gnu.org.

>From address@hidden Thu Jul 14 17:17:49 2016
Return-Path: address@hidden
Delivered-To: address@hidden
Received: from rt.gnu.org (rt.gnu.org [74.94.156.213])
	by mail.partyvan.eu (OpenSMTPD) with ESMTPS id 69378bb0
	TLS version=TLSv1 cipher=AES256-SHA bits=256 verify=NO
	for <address@hidden>;
	Thu, 14 Jul 2016 17:17:49 +0000 (UTC)
Received: from www-data by rt.gnu.org with local (Exim 4.69)
	(envelope-from <address@hidden>)
	id 1bNkGg-0001TS-8h
	for address@hidden; Thu, 14 Jul 2016 13:17:46 -0400
Subject: [gnu.org #1127678] HSTS policy on gnu.org prevents loading *.savannah.gnu.org 
From: "Lisa Maginnis via RT" <address@hidden>
Reply-To: address@hidden
In-Reply-To: <address@hidden>
References: <address@hidden> <address@hidden>
Message-ID: <address@hidden>
Precedence: bulk
X-RT-Loop-Prevention: gnu.org
RT-Ticket: gnu.org #1127678
Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/)
RT-Originator: address@hidden
To: address@hidden
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Date: Thu, 14 Jul 2016 13:17:46 -0400
Status: RO
X-Status: A
Content-Length: 511
Lines: 21

Hello,

Thank you for this report. I have removed the `subdomain' directive from
our HSTS header on gnu.org. This should resolve the issue for you
(pending clearing your browser cache in some cases). 

In the mean time I have also contacted the Savannah team about
configuring SSL the domains you listed.

Thanks & Happy hackingz,

-- 
~Lisa Marie Maginnis
Senior System Administrator
Free Software Foundation
http://fsf.org http://gnu.org
GPG Key: 61EEC710

Support our infrastructure!
https://donate.fsf.org


>From address@hidden Thu Jul 14 17:31:01 2016
Date: Thu, 14 Jul 2016 17:31:01 +0000
From: Juuso Lapinlampi <address@hidden>
To: Lisa Maginnis via RT <address@hidden>
Subject: Re: [gnu.org #1127678] HSTS policy on gnu.org prevents loading
 *.savannah.gnu.org
Message-ID: <address@hidden>
References: <address@hidden>
 <address@hidden>
 <address@hidden>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <address@hidden>
User-Agent: Mutt/1.5.24 (2015-08-30)
Status: RO
Content-Length: 293
Lines: 6

On Thu, Jul 14, 2016 at 01:17:46PM -0400, Lisa Maginnis via RT wrote:
> In the mean time I have also contacted the Savannah team about
> configuring SSL the domains you listed.

All versions of SSL are considered insecure: please do not use them.
TLS1.0+ is still considered to be reasonable.

>From address@hidden Thu Jul 14 17:38:52 2016
Return-Path: address@hidden
Delivered-To: address@hidden
Received: from rt.gnu.org (rt.gnu.org [74.94.156.213])
	by mail.partyvan.eu (OpenSMTPD) with ESMTPS id 5372322e
	TLS version=TLSv1 cipher=AES256-SHA bits=256 verify=NO
	for <address@hidden>;
	Thu, 14 Jul 2016 17:38:52 +0000 (UTC)
Received: from www-data by rt.gnu.org with local (Exim 4.69)
	(envelope-from <address@hidden>)
	id 1bNkb3-0001xm-MU
	for address@hidden; Thu, 14 Jul 2016 13:38:49 -0400
Subject: [gnu.org #1127678] HSTS policy on gnu.org prevents loading *.savannah.gnu.org 
From: "Lisa Maginnis via RT" <address@hidden>
Reply-To: address@hidden
In-Reply-To: <address@hidden>
References: <address@hidden> <address@hidden> <address@hidden> <address@hidden> <address@hidden>
Message-ID: <address@hidden>
Precedence: bulk
X-RT-Loop-Prevention: gnu.org
RT-Ticket: gnu.org #1127678
Managed-by: RT 3.4.5 (http://www.bestpractical.com/rt/)
RT-Originator: address@hidden
To: address@hidden
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Original-Encoding: utf-8
Date: Thu, 14 Jul 2016 13:38:49 -0400
Status: RO
Content-Length: 776
Lines: 24

> On Thu, Jul 14, 2016 at 01:17:46PM -0400, Lisa Maginnis via RT wrote:
> > In the mean time I have also contacted the Savannah team about
> > configuring SSL the domains you listed.
> 
> All versions of SSL are considered insecure: please do not use them.
> TLS1.0+ is still considered to be reasonable.

In this case I meant TLS1.0+, the FSF has a strict no SSLv2 or SSLv3
policy for hosting HTTPS. Since the exploits BEAST (CVE-2011-3389) and
POODLE (CVE-2014-3566) have rendered SSLv2 and SSLv3 obsolete, a lot of
people still use the word SSL while meaning TLS.

Thank you for your concern,

-- 
~Lisa Marie Maginnis
Senior System Administrator
Free Software Foundation
http://fsf.org http://gnu.org
GPG Key: 61EEC710

Support our infrastructure!
https://donate.fsf.org