Port Fetch Failing
Tim Daneliuk
tundra at tundraware.com
Mon Jun 1 23:55:52 UTC 2015
On 06/01/2015 06:47 PM, Charles Swiger wrote:
> On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
>> Recently, I switched a web server here to to rewriting and force every access
>> to go over https. This is a machine using self-signed certs and a fairly
>> conservative set of protocol support. Apache's cipher suite is set to this:
>>
>> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2
>>
>> These settings were derived from doing some reading and testing with SSL Labs test site
>> and - thus far - I have seen no complaints except from the FreeBSD ports fetch. I am
>> getting grumpy emails from the master ports sites:
>>
>> => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/.
>> => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz
>> fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not Found
>> => Attempting to fetch http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz
>> 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593:
>> fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: Authentication error
>> => Couldn't fetch it - please try to retrieve this
>> => port manually into /portdistfiles/ and try again.
>> *** [do-fetch] Error code 1
>
> The Qualsys scanner is informative:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=tundraware.com
>
> You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers that only
> something which supports the newest ECDHE / GCM variants will likely be able to connect.
>
> If you want the majority of clients to be able to connect, you'll need to offer
> TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 and/or
> TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256.
>
> Regards,
>
Thanks Chuck. I was being ultra paranoid when I did this and lifted this config from somewhere
SSL Labs sent me to as I recall. I've added the 256 bit AES ciphers back in. Hopefully,
the noise will go away now.
I appreciate your prompt response.
--
----------------------------------------------------------------------------
Tim Daneliuk tundra at tundraware.com
PGP Key: http://www.tundraware.com/PGP/
More information about the freebsd-ports
mailing list