Date: Mon, 01 Jun 2015 18:55:46 -0500 From: Tim Daneliuk <tundra@tundraware.com> To: Charles Swiger <cswiger@mac.com> Cc: FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG> Subject: Re: Port Fetch Failing Message-ID: <556CF102.6030007@tundraware.com> In-Reply-To: <D88726B1-54F3-4EAB-B455-B07C3C285B0F@mac.com> References: <556CEBE2.7030005@tundraware.com> <D88726B1-54F3-4EAB-B455-B07C3C285B0F@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/01/2015 06:47 PM, Charles Swiger wrote: > On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tundra@tundraware.com> wrote: >> Recently, I switched a web server here to to rewriting and force every access >> to go over https. This is a machine using self-signed certs and a fairly >> conservative set of protocol support. Apache's cipher suite is set to this: >> >> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2 >> >> These settings were derived from doing some reading and testing with SSL Labs test site >> and - thus far - I have seen no complaints except from the FreeBSD ports fetch. I am >> getting grumpy emails from the master ports sites: >> >> => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/. >> => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz >> fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not Found >> => Attempting to fetch http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz >> 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593: >> fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: Authentication error >> => Couldn't fetch it - please try to retrieve this >> => port manually into /portdistfiles/ and try again. >> *** [do-fetch] Error code 1 > > The Qualsys scanner is informative: > > https://www.ssllabs.com/ssltest/analyze.html?d=tundraware.com > > You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers that only > something which supports the newest ECDHE / GCM variants will likely be able to connect. > > If you want the majority of clients to be able to connect, you'll need to offer > TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 and/or > TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256. > > Regards, > Thanks Chuck. I was being ultra paranoid when I did this and lifted this config from somewhere SSL Labs sent me to as I recall. I've added the 256 bit AES ciphers back in. Hopefully, the noise will go away now. I appreciate your prompt response. -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?556CF102.6030007>