From owner-freebsd-ports@FreeBSD.ORG  Mon Jun  1 23:55:52 2015
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id E2F3DEB4
 for <freebsd-ports@FreeBSD.ORG>; Mon,  1 Jun 2015 23:55:51 +0000 (UTC)
 (envelope-from tundra@tundraware.com)
Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "ozzie.tundraware.com",
 Issuer "ozzie.tundraware.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id A6A5B1303
 for <freebsd-ports@FreeBSD.ORG>; Mon,  1 Jun 2015 23:55:51 +0000 (UTC)
 (envelope-from tundra@tundraware.com)
Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2])
 (authenticated bits=0)
 by ozzie.tundraware.com (8.14.9/8.14.9) with ESMTP id t51NtkGx014246
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Mon, 1 Jun 2015 18:55:46 -0500 (CDT)
 (envelope-from tundra@tundraware.com)
Message-ID: <556CF102.6030007@tundraware.com>
Date: Mon, 01 Jun 2015 18:55:46 -0500
From: Tim Daneliuk <tundra@tundraware.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Charles Swiger <cswiger@mac.com>
CC: FreeBSD Ports Mailing List <freebsd-ports@FreeBSD.ORG>
Subject: Re: Port Fetch Failing
References: <556CEBE2.7030005@tundraware.com>
 <D88726B1-54F3-4EAB-B455-B07C3C285B0F@mac.com>
In-Reply-To: <D88726B1-54F3-4EAB-B455-B07C3C285B0F@mac.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3
 (ozzie.tundraware.com [75.145.138.73]); Mon, 01 Jun 2015 18:55:46 -0500 (CDT)
X-TundraWare-MailScanner-Information: Please contact the ISP for more
 information
X-TundraWare-MailScanner-ID: t51NtkGx014246
X-TundraWare-MailScanner: Found to be clean
X-TundraWare-MailScanner-From: tundra@tundraware.com
X-Spam-Status: No
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2015 23:55:52 -0000

On 06/01/2015 06:47 PM, Charles Swiger wrote:
> On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tundra@tundraware.com> wrote:
>> Recently, I switched a web server here to to rewriting and force every access
>> to go over https.   This is a machine using self-signed certs and a fairly
>> conservative set of protocol support.  Apache's cipher suite is set to this:
>>
>> SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2
>>
>> These settings were derived from doing some reading and testing with SSL Labs test site
>> and - thus far - I have seen no complaints except from the FreeBSD ports fetch.  I am
>> getting grumpy emails from the master ports sites:
>>
>> => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/.
>> => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz
>> fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: Not Found
>> => Attempting to fetch http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz
>> 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593:
>> fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: Authentication error
>> => Couldn't fetch it - please try to retrieve this
>> => port manually into /portdistfiles/ and try again.
>> *** [do-fetch] Error code 1
> 
> The Qualsys scanner is informative:
> 
>    https://www.ssllabs.com/ssltest/analyze.html?d=tundraware.com
> 
> You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers that only
> something which supports the newest ECDHE / GCM variants will likely be able to connect.
> 
> If you want the majority of clients to be able to connect, you'll need to offer
> TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 and/or
> TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256.
> 
> Regards,
> 


Thanks Chuck.  I was being ultra paranoid when I did this and lifted this config from somewhere
SSL Labs sent me to as I recall.   I've added the 256 bit AES ciphers back in. Hopefully,
the noise will go away now.

I appreciate your prompt response.


-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/