Port Fetch Failing
cswiger at mac.com
Mon Jun 1 23:47:17 UTC 2015
On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
> Recently, I switched a web server here to to rewriting and force every access
> to go over https. This is a machine using self-signed certs and a fairly
> conservative set of protocol support. Apache's cipher suite is set to this:
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2
> These settings were derived from doing some reading and testing with SSL Labs test site
> and - thus far - I have seen no complaints except from the FreeBSD ports fetch. I am
> getting grumpy emails from the master ports sites:
> => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/.
> => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz
> fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not Found
> => Attempting to fetch http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz
> 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593:
> fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: Authentication error
> => Couldn't fetch it - please try to retrieve this
> => port manually into /portdistfiles/ and try again.
> *** [do-fetch] Error code 1
The Qualsys scanner is informative:
You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers that only
something which supports the newest ECDHE / GCM variants will likely be able to connect.
If you want the majority of clients to be able to connect, you'll need to offer
TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 and/or
TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256.
More information about the freebsd-ports