Skip to content

Add insecure cipher suites for Axis cameras#2212

Open
JeremyH76 wants to merge 1 commit into
AlexxIT:masterfrom
JeremyH76:master
Open

Add insecure cipher suites for Axis cameras#2212
JeremyH76 wants to merge 1 commit into
AlexxIT:masterfrom
JeremyH76:master

Conversation

@JeremyH76
Copy link
Copy Markdown

@JeremyH76 JeremyH76 commented Apr 15, 2026

Adding two insecure cipher suites to succeed to connect to Axis cameras.

#2211

@skrashevich skrashevich requested a review from Copilot April 20, 2026 22:09
Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR expands the set of insecure TLS cipher suites used by pkg/tcp when connecting to endpoints that require relaxed TLS settings (notably Axis cameras hitting tls: handshake failure per #2211).

Changes:

  • Add two RSA+AES-CBC-SHA1 cipher suites to the existing insecureConfig TLS cipher list.
  • Broaden compatibility with legacy Axis camera TLS stacks that don’t support the currently-offered suites.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/tcp/request.go
Comment on lines 152 to +157
// this cipher suites disabled starting from https://tip.golang.org/doc/go1.22
// but cameras can't work without them https://github.com/AlexxIT/go2rtc/issues/1172
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, // insecure
tls.TLS_RSA_WITH_AES_256_GCM_SHA384, // insecure
tls.TLS_RSA_WITH_AES_128_CBC_SHA, // insecure
tls.TLS_RSA_WITH_AES_256_CBC_SHA, // insecure
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment above these cipher suites has a grammar issue ("this cipher suites") and now no longer reflects why the additional RSA+CBC suites were added. Please fix the wording (e.g., "these cipher suites are disabled...") and include a reference to the Axis handshake failure issue (#2211) alongside #1172 so future readers understand why these specific suites are enabled.

Copilot uses AI. Check for mistakes.
Comment thread pkg/tcp/request.go
Comment on lines +156 to +157
tls.TLS_RSA_WITH_AES_128_CBC_SHA, // insecure
tls.TLS_RSA_WITH_AES_256_CBC_SHA, // insecure
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding TLS_RSA_WITH_AES_{128,256}_CBC_SHA expands the insecureConfig cipher list for both the explicit "httpx" scheme and all "https" requests to IP hosts. Because servers may select these weaker non-AEAD SHA1 CBC suites even when stronger options are available, consider enabling them only as a fallback (e.g., retry the handshake after a failure with a broader cipher list) or gating them behind an explicit opt-in to avoid unintended downgrade of connections that would otherwise negotiate a better cipher.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JeremyH76