Date: Mon, 1 Jun 2015 16:47:09 -0700 From: Charles Swiger <cswiger@mac.com> To: Tim Daneliuk <tundra@tundraware.com> Cc: FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG> Subject: Re: Port Fetch Failing Message-ID: <D88726B1-54F3-4EAB-B455-B07C3C285B0F@mac.com> In-Reply-To: <556CEBE2.7030005@tundraware.com> References: <556CEBE2.7030005@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tundra@tundraware.com> wrote: > Recently, I switched a web server here to to rewriting and force every = access > to go over https. This is a machine using self-signed certs and a = fairly > conservative set of protocol support. Apache's cipher suite is set to = this: >=20 > SSLCipherSuite = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2 >=20 > These settings were derived from doing some reading and testing with = SSL Labs test site > and - thus far - I have seen no complaints except from the FreeBSD = ports fetch. I am > getting grumpy emails from the master ports sites: >=20 > =3D> tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/. > =3D> Attempting to fetch = http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz > fetch: = http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not = Found > =3D> Attempting to fetch = http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz > 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert = handshake = failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:= 593: > fetch: = http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: = Authentication error > =3D> Couldn't fetch it - please try to retrieve this > =3D> port manually into /portdistfiles/ and try again. > *** [do-fetch] Error code 1 The Qualsys scanner is informative: https://www.ssllabs.com/ssltest/analyze.html?d=3Dtundraware.com You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard = ciphers that only something which supports the newest ECDHE / GCM variants will likely be = able to connect. If you want the majority of clients to be able to connect, you'll need = to offer TLS_RSA_WITH_AES_128_CBC_SHA in addition to = TLS_RSA_WITH_AES_128_CBC_SHA256 and/or TLS_RSA_WITH_AES_256_CBC_SHA in addition to = TLS_RSA_WITH_AES_256_CBC_SHA256. Regards, --=20 -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D88726B1-54F3-4EAB-B455-B07C3C285B0F>