diff options
author | Santiago Torres <santiago@archlinux.org> | 2020-01-05 20:09:02 -0500 |
---|---|---|
committer | Jelle van der Waa <jelle@archlinux.org> | 2020-08-03 21:38:11 +0200 |
commit | 8b2f897702d6e3713c99f3266ac7c055d6ae6526 (patch) | |
tree | 6d962947ba1f64441cea158f5acdba4af70118e9 | |
parent | 24fb87ba6e9ce6ec77b666c1fd476b9f93c547cc (diff) | |
download | archweb-8b2f897702d6e3713c99f3266ac7c055d6ae6526.tar.gz archweb-8b2f897702d6e3713c99f3266ac7c055d6ae6526.zip |
netboot: add downgraded cipher banner
The banner is pretty self-explanatory. Inform users that the chainloaded
script is served on downgraded ciphers due to a limitation on the ssl
stack of ipxe. Also, add a configuration variable so that downstream
users of archweb can prevent the banner from displaying.
-rw-r--r-- | local_settings.py.example | 3 | ||||
-rw-r--r-- | releng/views.py | 4 | ||||
-rw-r--r-- | templates/releng/netboot.html | 13 |
3 files changed, 19 insertions, 1 deletions
diff --git a/local_settings.py.example b/local_settings.py.example index f5b167f5..63c5d845 100644 --- a/local_settings.py.example +++ b/local_settings.py.example @@ -54,4 +54,7 @@ MEDIA_URL = '/media/img/' ## Make this unique, and don't share it with anybody. SECRET_KEY = '00000000000000000000000000000000000000000000000' +## Display a warning if serving netboot images on downgraded ciphers +NETBOOT_SECURITY_BANNER=True + # vim: set ts=4 sw=4 et: diff --git a/releng/views.py b/releng/views.py index cd6ceae8..8699c5b2 100644 --- a/releng/views.py +++ b/releng/views.py @@ -6,6 +6,7 @@ from django.urls import reverse from django.http import Http404, HttpResponse from django.shortcuts import get_object_or_404, render from django.views.generic import DetailView, ListView +from django.conf import settings from .models import Release from mirrors.models import MirrorUrl @@ -89,6 +90,7 @@ def netboot_config(request): def netboot_info(request): - return render(request, "releng/netboot.html", None) + return render(request, "releng/netboot.html", + {'security_banner': settings.NETBOOT_SECURITY_BANNER}) # vim: set ts=4 sw=4 et: diff --git a/templates/releng/netboot.html b/templates/releng/netboot.html index 2a007f7d..0647abe2 100644 --- a/templates/releng/netboot.html +++ b/templates/releng/netboot.html @@ -28,6 +28,19 @@ The integrity of all downloaded files is verified with cryptographic signatures. </p> +{% if security_banner %} +<h3> A note on security </h3> + +Be advised that, due to limitations with the <a + href='https://lists.ipxe.org/pipermail/ipxe-devel/2019-November/006808.html'>iPXE + SSL stack</a>, the chainloading script for the iPXE image is served using a +downgraded list of cipher-suites under ipxe.archlinux.org. The cipher-suites +---RSA-AES256-CBC-SHA256 -- served on this domain are not the recommended list +on the mozilla observatory, yet they still yield a reasonable degree of +protection/authentication. + +{% endif %} + <h3>Download</h3> <h4>BIOS</h4> |