Dear Grype team,
We need to automatically download/mirror the grype database to an air-gapped environment from URL grype.anchore.io/databases/v6/latest.json as you have discontinued the hosting from toolbox-data.anchore.io.
One of our security constrains is that the source URL must have a “A” in the SSL labs test.
Based on the current test results grype.anchore.io has a “B“ because it still supports outdated TLS1.0/1.1: SSL Server Test: grype.anchore.io (Powered by Qualys SSL Labs)
Thanks for reporting! Initially I was confused since I couldn’t seem to reproduce the test
openssl s_client -connect grype.anchore.io:443 -servername grype.anchore.io -tls1
...
C020EEF601000000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:ssl/statem/statem_lib.c:155:
...
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
...
^ with SNI
openssl s_client -connect 104.20.39.210:443 -tls1
...
C020EEF601000000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:ssl/statem/statem_lib.c:155:
...
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
...
^ without SNI, using one of the test IPs from the ssllabs report
However, it looks like you can still force a downgrade with -cipher 'ALL:@SECLEVEL=0':
openssl s_client -connect grype.anchore.io:443 -servername grype.anchore.io -tls1 -cipher 'ALL:@SECLEVEL=0'
...
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Protocol: TLSv1
Server public key is 2048 bit
Secure Renegotiation IS supported
...
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
...
Not great! So even though we had minimum TLS set to 1.2 in the CDN, the backing store service still supported 1.0 as the minimum. We bumped the minimums on the store service to 1.2 and started to see the behavior we expected (and ssllabs has upgraded us to an A).
