http-client-tls vulnerable to Logjam?

Question

http-client-tls vulnerable to Logjam?

oherrala opened this issue 8 years ago · 2 comments

ssllabs.com has test for Logjam in their client tests. This is probably issue in Haskell's tls library instead of http-client-tls. Ping @vincenthz .

Prelude> import Network.HTTP.Client
Prelude> import Network.HTTP.Client.TLS
Prelude> manager <- newManager tlsManagerSettings
Prelude> request <- parseRequest "https://www.ssllabs.com:10445/"
Prelude> response <- httpLbs request manager
Prelude> print response
Response {responseStatus = Status {statusCode = 200, statusMessage = "OK"}, responseVersion = HTTP/1.1 ... <output cleaned>

I expect this simple test to throw exception or fail otherwise instead of succesful connection.

Chrome, Firefox and Safari don't allow connection to this test host.

This was found with TryTLS test tool: https://github.com/ouspg/trytls

Answer 1 · 2016-09-13T06:50:51.000Z

logjam is very much a policy choice. tracking this at haskell-tls/hs-tls#157

Answer 2 · 2018-06-28T10:01:44.000Z

Upstream issue, closing.