From owner-freebsd-ports@FreeBSD.ORG  Mon Jun  1 23:46:08 2015
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id CCC55BC2
 for <freebsd-ports@FreeBSD.ORG>; Mon,  1 Jun 2015 23:46:08 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "anubis.delphij.net",
 Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id B51241057
 for <freebsd-ports@FreeBSD.ORG>; Mon,  1 Jun 2015 23:46:08 +0000 (UTC)
 (envelope-from delphij@delphij.net)
Received: from zeta.ixsystems.com (c-71-202-112-39.hsd1.ca.comcast.net
 [71.202.112.39])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by anubis.delphij.net (Postfix) with ESMTPSA id 413C74F4E;
 Mon,  1 Jun 2015 16:46:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net;
 s=anubis; t=1433202362; x=1433216762;
 bh=QXrKTb31EgB6vOn0f4iqQelxPCodEfZzM9hejk6CYWA=;
 h=Date:From:Reply-To:To:Subject:References:In-Reply-To;
 b=RBJHEUw4u5P4zCaP+/cpeKO9yINiRjWV4AFAxau7Jf2xcgNVqZWCZr9od7PMknTmT
 LgMH76Ek4TNFx1NbXqyepCHi3XMT/RNowk+b4bvJKCrPycvmdanqrnLNO8BnarqxTf
 2PCtfU9mdJbwASxLFsBK62EPdGy5eH2Ljn9RGLro=
Message-ID: <556CEEB8.2090406@delphij.net>
Date: Mon, 01 Jun 2015 16:46:00 -0700
From: Xin Li <delphij@delphij.net>
Reply-To: d@delphij.net
Organization: The FreeBSD Project
MIME-Version: 1.0
To: Tim Daneliuk <tundra@tundraware.com>, 
 FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG>
Subject: Re: Port Fetch Failing
References: <556CEBE2.7030005@tundraware.com>
In-Reply-To: <556CEBE2.7030005@tundraware.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 23:46:09 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/01/15 16:33, Tim Daneliuk wrote:
> Recently, I switched a web server here to to rewriting and force
> every access to go over https.   This is a machine using
> self-signed certs and a fairly conservative set of protocol
> support.  Apache's cipher suite is set to this:
> 
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv
2
>
>  These settings were derived from doing some reading and testing
> with SSL Labs test site and - thus far - I have seen no complaints
> except from the FreeBSD ports fetch.  I am getting grumpy emails
> from the master ports sites:
> 
> => tsshbatch-1.212.tar.gz doesn't seem to exist in
> /portdistfiles/. => Attempting to fetch
> http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz
>
> 
fetch:
http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not
Found
> => Attempting to fetch
> http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz
>
> 
72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake
failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.
c:593:
> fetch:
> http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz:
> Authentication error => Couldn't fetch it - please try to retrieve
> this => port manually into /portdistfiles/ and try again. ***
> [do-fetch] Error code 1
> 
> Stop in /usr/ports/security/tsshbatch.
> 
> 
> Interestingly, (and strangely) no other port is reporting this
> problem, only this one.

You seem to be using FreeBSD 9.x which does not support TLSv1.1 and
TLSv1.2.  They support up to TLSv1 only and there is no plan to add
TLSv1.1+ support for FreeBSD 9.x base system as we can't upgrade
OpenSSL there due to ABI change.

Disabling SSLv3 ciphers means there would be no cipher available for
TLSv1 negotiation:

% openssl ciphers 'TLSv1:-SSLv3'
Error in cipher list
34379234072:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher
match:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_lib.c:1
294:

So, no negotiation would succeed in this case.

I find your CipherSuite quite problematic, by the way.  Why do you
enable eNULL there for instance?

Cheers,
- -- 
Xin LI <delphij@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.4 (FreeBSD)

iQIcBAEBCgAGBQJVbO64AAoJEJW2GBstM+nsVEQP+wZrco8vDXzLRcVJ6xVJ/exo
PGFJwW6EwllssPvgt7wtayCKtlNY4olnD/r4n6Z80B2VbfXiKtOYXGjv2BNc1Dys
/L1+fMV5TcGeO7lcUD19CO/WZf2Bqnmno/frWpV/6uCAwcIYhkY/JCEeist6HgNN
wrYInVAxbV062AZiD5GKgifjSSARUg819p3/QiQ00v+uGG5U9xMMQWDnkMCvY4Wu
xijiybU+OWI4EWeNQTQzNFXKP76A4ONs5YKeIgrWe4CXtSLgcJO1PE7k/OHxvrca
3IEsfyeXh7Z3yzcsREwAU47E/qfzd+K1Miya2Svt1yRi9oeBg6HpnXEh/WjcqLWe
0fEncBPfegFKvkuADewkDSL4V32+sG0rd2qRWLnsi9BGWzmtQ2pMo/nJkuuWU6Vm
H9Am8DGMr3u+In/v/DrwHdk5vQnjzxoseyPf8stttvk9QgEEWZRYSALAb0x1uw8q
c/5m3HXsMDe4O9w4iw5QzjFsG7eSXrbCqLkNOnrC34RCTBQiAOAtwa7+Jv9Xcwsp
ET+vXdJ76OoSBY9FHNLMKrJC0rfGzC704K90vvMeKlZxCZZzxrf4ZPe64mvuircI
2DJHdN+0TkxarrC+lx2dV8avSjtOvAn1XH/aq++tmX1zsMrsQ4BtHWxjz/phQ3Nf
Pn+BrSCIhn4hv0i5vTO8
=oL1C
-----END PGP SIGNATURE-----