Port Fetch Failing

Tim Daneliuk tundra at tundraware.com
Mon Jun 1 23:55:52 UTC 2015 

On 06/01/2015 06:47 PM, Charles Swiger wrote:
> On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tundra at tundraware.com> wrote:
>> Recently, I switched a web server here to to rewriting and force every access
>> to go over https.   This is a machine using self-signed certs and a fairly
>> conservative set of protocol support.  Apache's cipher suite is set to this:
>>
>> SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2
>>
>> These settings were derived from doing some reading and testing with SSL Labs test site
>> and - thus far - I have seen no complaints except from the FreeBSD ports fetch.  I am
>> getting grumpy emails from the master ports sites:
>>
>> => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/.
>> => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz
>> fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not Found
>> => Attempting to fetch http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz
>> 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593:
>> fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: Authentication error
>> => Couldn't fetch it - please try to retrieve this
>> => port manually into /portdistfiles/ and try again.
>> *** [do-fetch] Error code 1
> 
> The Qualsys scanner is informative:
> 
>    https://www.ssllabs.com/ssltest/analyze.html?d=tundraware.com
> 
> You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers that only
> something which supports the newest ECDHE / GCM variants will likely be able to connect.
> 
> If you want the majority of clients to be able to connect, you'll need to offer
> TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 and/or
> TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256.
> 
> Regards,
> 


Thanks Chuck.  I was being ultra paranoid when I did this and lifted this config from somewhere
SSL Labs sent me to as I recall.   I've added the 256 bit AES ciphers back in. Hopefully,
the noise will go away now.

I appreciate your prompt response.


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra at tundraware.com
PGP Key:         http://www.tundraware.com/PGP/

More information about the freebsd-ports mailing list