Date: Mon, 01 Jun 2015 16:46:00 -0700 From: Xin Li <delphij@delphij.net> To: Tim Daneliuk <tundra@tundraware.com>, FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG> Subject: Re: Port Fetch Failing Message-ID: <556CEEB8.2090406@delphij.net> In-Reply-To: <556CEBE2.7030005@tundraware.com> References: <556CEBE2.7030005@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 06/01/15 16:33, Tim Daneliuk wrote: > Recently, I switched a web server here to to rewriting and force > every access to go over https. This is a machine using > self-signed certs and a fairly conservative set of protocol > support. Apache's cipher suite is set to this: > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv 2 > > These settings were derived from doing some reading and testing > with SSL Labs test site and - thus far - I have seen no complaints > except from the FreeBSD ports fetch. I am getting grumpy emails > from the master ports sites: > > => tsshbatch-1.212.tar.gz doesn't seem to exist in > /portdistfiles/. => Attempting to fetch > http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz > > fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not Found > => Attempting to fetch > http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz > > 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt. c:593: > fetch: > http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: > Authentication error => Couldn't fetch it - please try to retrieve > this => port manually into /portdistfiles/ and try again. *** > [do-fetch] Error code 1 > > Stop in /usr/ports/security/tsshbatch. > > > Interestingly, (and strangely) no other port is reporting this > problem, only this one. You seem to be using FreeBSD 9.x which does not support TLSv1.1 and TLSv1.2. They support up to TLSv1 only and there is no plan to add TLSv1.1+ support for FreeBSD 9.x base system as we can't upgrade OpenSSL there due to ABI change. Disabling SSLv3 ciphers means there would be no cipher available for TLSv1 negotiation: % openssl ciphers 'TLSv1:-SSLv3' Error in cipher list 34379234072:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_lib.c:1 294: So, no negotiation would succeed in this case. I find your CipherSuite quite problematic, by the way. Why do you enable eNULL there for instance? Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.4 (FreeBSD) iQIcBAEBCgAGBQJVbO64AAoJEJW2GBstM+nsVEQP+wZrco8vDXzLRcVJ6xVJ/exo PGFJwW6EwllssPvgt7wtayCKtlNY4olnD/r4n6Z80B2VbfXiKtOYXGjv2BNc1Dys /L1+fMV5TcGeO7lcUD19CO/WZf2Bqnmno/frWpV/6uCAwcIYhkY/JCEeist6HgNN wrYInVAxbV062AZiD5GKgifjSSARUg819p3/QiQ00v+uGG5U9xMMQWDnkMCvY4Wu xijiybU+OWI4EWeNQTQzNFXKP76A4ONs5YKeIgrWe4CXtSLgcJO1PE7k/OHxvrca 3IEsfyeXh7Z3yzcsREwAU47E/qfzd+K1Miya2Svt1yRi9oeBg6HpnXEh/WjcqLWe 0fEncBPfegFKvkuADewkDSL4V32+sG0rd2qRWLnsi9BGWzmtQ2pMo/nJkuuWU6Vm H9Am8DGMr3u+In/v/DrwHdk5vQnjzxoseyPf8stttvk9QgEEWZRYSALAb0x1uw8q c/5m3HXsMDe4O9w4iw5QzjFsG7eSXrbCqLkNOnrC34RCTBQiAOAtwa7+Jv9Xcwsp ET+vXdJ76OoSBY9FHNLMKrJC0rfGzC704K90vvMeKlZxCZZzxrf4ZPe64mvuircI 2DJHdN+0TkxarrC+lx2dV8avSjtOvAn1XH/aq++tmX1zsMrsQ4BtHWxjz/phQ3Nf Pn+BrSCIhn4hv0i5vTO8 =oL1C -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?556CEEB8.2090406>