The TLS/HTTPS server configuration of bugs.gentoo.org enables anonymous cipher suites: https://www.ssllabs.com/ssltest/analyze.html?d=bugs.gentoo.org This is bad. Anon ciphers are not really suited for web use (and likely they'll be removed in the upcoming TLS 1.3), because they provide no authentication. They should be disabled. (There are a couple of other things in the TLS config that could be improved, e.g. enabling HSTS, OCSP stapling, disabling RC4, but I think the cipher suite issue is the most severe one)
whats the status here? I noticed the same thing and am kind of interested, that this gets resolved, too.
Status: RESOLVED FIXED as per the bug metadata
Oh I missed the bugs.* part. I was checking the root domain today: gentoo.org and there are the same security concerns described for bugs.gentoo.org. But I guess this should be another bug :/ sorry for that.
*** Bug 538122 has been marked as a duplicate of this bug. ***
