From owner-freebsd-ports@FreeBSD.ORG Mon Jun 1 23:47:17 2015 Return-Path: Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0490AD3F for ; Mon, 1 Jun 2015 23:47:17 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CDEDE1078 for ; Mon, 1 Jun 2015 23:47:16 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay8.apple.com (relay8.apple.com [17.128.113.102]) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id 57.0F.12430.EFEEC655; Mon, 1 Jun 2015 16:47:10 -0700 (PDT) X-AuditID: 11973e13-f79d56d00000308e-e6-556ceefe7ef6 Received: from [17.149.231.140] (Unknown_Domain [17.149.231.140]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by relay8.apple.com (Apple SCV relay) with SMTP id 23.12.14591.50FEC655; Mon, 1 Jun 2015 16:47:17 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: Port Fetch Failing From: Charles Swiger In-Reply-To: <556CEBE2.7030005@tundraware.com> Date: Mon, 1 Jun 2015 16:47:09 -0700 Cc: FreeBSD Ports Mailing List Content-Transfer-Encoding: quoted-printable Message-Id: References: <556CEBE2.7030005@tundraware.com> To: Tim Daneliuk X-Mailer: Apple Mail (2.2098) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrNLMWRmVeSWpSXmKPExsUi2FCYpvvvXU6owbc/fBabDr9ltJj/TMeB yWPGp/ksHjf/X2EMYIrisklJzcksSy3St0vgypj6oJe94Dt/xY6DLxkbGDfxdjFycEgImEic +iLQxcgJZIpJXLi3nq2LkYtDSGAfo8TMz7dYIRImEi0bVrJCJKYzSfx9eYcZJMEsoCVx499L JhCbV0BP4tHTx+wgQ4UF5CXmfLcBMdkE1CQmTOQBqeAEqpjw+zALiM0ioCIx+dFVFogpVhJP Xnxjh7C1JZYtfM0MMdFK4v3DzWAnCAnoSlx6PAmsRkRAQ2LhxpMsEOfLSnzdKgdymYTAV1aJ 75cnsE5gFJqF5LhZSI6bhWTFAkbmVYxCuYmZObqZeaZ6iQUFOal6yfm5mxhBoTvdTngH4+lV VocYBTgYlXh4M7qzQ4VYE8uKK3MPMUpzsCiJ8559mBMqJJCeWJKanZpakFoUX1Sak1p8iJGJ g1OqgdH3SeFRhjUMZnsj719YvDbVzktQWDfun+nil2F6C/bfXu/3iGfS83u/XzP48EwLmffu WtyCqCTd/XaWDs8VS9STmSJnBUzPKLXz3Je+a1nO0nvfVnDPWR4dyfR2ufbfmn0Ji/Ta/5yY Ljdl8aOLL04LHb2ZKebNktE5z2ZmrkHrX1WTVv0ExztKLMUZiYZazEXFiQAnTeZMPgIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprPLMWRmVeSWpSXmKPExsUiOPV5jy7r+5xQg7YfZhabDr9ltJj/TMeB yWPGp/ksHjf/X2EMYIrisklJzcksSy3St0vgypj6oJe94Dt/xY6DLxkbGDfxdjFyckgImEi0 bFjJCmGLSVy4t56ti5GLQ0hgOpPE35d3mEESzAJaEjf+vWQCsXkF9CQePX3M3sXIwSEsIC8x 57sNiMkmoCYxYSIPSAUnUMWE34dZQGwWARWJyY+uskBMsZJ48uIbO4StLbFs4WtmiIlWEu8f bgY7QUhAV+LS40lgNSICGhILN55kARkvISAr8XWr3ARG/llI7pmF5J5ZSKYuYGRexShQlJqT WGmhl1hQkJOql5yfu4kRFGwNhWk7GJuWWx1iFOBgVOLhzejODhViTSwrrsw9xCjBwawkwrvs VU6oEG9KYmVValF+fFFpTmrxIUZpDhYlcd7bW1JChQTSE0tSs1NTC1KLYLJMHJxSDYxuZkJP 0iLMXBX3V07qeHftjNN96SW/bz4x9VVu/f7uYfyq93MaGQ2/+sTrphgtnvZhUQPDtE8KLnk/ priUrdPlSHmxQ0vrpJvWTt3wn9s/3vI1YM4PDV72c+qlqn7mBaEnmlyirq75qxnex7225uoE jcyQs2dP9rSuPah9e+Xj/QHX3j+eJNiixFKckWioxVxUnAgA0qKjrzICAAA= X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jun 2015 23:47:17 -0000 On Jun 1, 2015, at 4:33 PM, Tim Daneliuk wrote: > Recently, I switched a web server here to to rewriting and force every = access > to go over https. This is a machine using self-signed certs and a = fairly > conservative set of protocol support. Apache's cipher suite is set to = this: >=20 > SSLCipherSuite = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2 >=20 > These settings were derived from doing some reading and testing with = SSL Labs test site > and - thus far - I have seen no complaints except from the FreeBSD = ports fetch. I am > getting grumpy emails from the master ports sites: >=20 > =3D> tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/. > =3D> Attempting to fetch = http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz > fetch: = http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not = Found > =3D> Attempting to fetch = http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz > 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert = handshake = failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:= 593: > fetch: = http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: = Authentication error > =3D> Couldn't fetch it - please try to retrieve this > =3D> port manually into /portdistfiles/ and try again. > *** [do-fetch] Error code 1 The Qualsys scanner is informative: https://www.ssllabs.com/ssltest/analyze.html?d=3Dtundraware.com You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard = ciphers that only something which supports the newest ECDHE / GCM variants will likely be = able to connect. If you want the majority of clients to be able to connect, you'll need = to offer TLS_RSA_WITH_AES_128_CBC_SHA in addition to = TLS_RSA_WITH_AES_128_CBC_SHA256 and/or TLS_RSA_WITH_AES_256_CBC_SHA in addition to = TLS_RSA_WITH_AES_256_CBC_SHA256. Regards, --=20 -Chuck