From owner-freebsd-ports@FreeBSD.ORG Sun Jun 7 15:20:28 2015 Return-Path: Delivered-To: freebsd-ports@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C01A291 for ; Sun, 7 Jun 2015 15:20:28 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from ozzie.tundraware.com (ozzie.tundraware.com [75.145.138.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "ozzie.tundraware.com", Issuer "ozzie.tundraware.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 14209125D for ; Sun, 7 Jun 2015 15:20:27 +0000 (UTC) (envelope-from tundra@tundraware.com) Received: from [192.168.0.2] (viper.tundraware.com [192.168.0.2]) (authenticated bits=0) by ozzie.tundraware.com (8.14.9/8.14.9) with ESMTP id t57FK9tb058783 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sun, 7 Jun 2015 10:20:10 -0500 (CDT) (envelope-from tundra@tundraware.com) Message-ID: <55746129.2060406@tundraware.com> Date: Sun, 07 Jun 2015 10:20:09 -0500 From: Tim Daneliuk User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Roger Marquis CC: FreeBSD Ports Mailing List Subject: Re: Port Fetch Failing References: <556CEBE2.7030005@tundraware.com> <556CEEB8.2090406@delphij.net> <556CF2B1.30100@tundraware.com> <20150602000954.GF1733@over-yonder.net> <201506020139.t521dlZx018515@ozzie.tundraware.com> In-Reply-To: <201506020139.t521dlZx018515@ozzie.tundraware.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (ozzie.tundraware.com [75.145.138.73]); Sun, 07 Jun 2015 10:20:10 -0500 (CDT) X-TundraWare-MailScanner-Information: Please contact the ISP for more information X-TundraWare-MailScanner-ID: t57FK9tb058783 X-TundraWare-MailScanner: Found to be clean X-TundraWare-MailScanner-From: tundra@tundraware.com X-Spam-Status: No X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2015 15:20:28 -0000 On 06/01/2015 08:25 PM, Roger Marquis wrote: > SSLCipherSuite HIGH:MEDIUM:!IDEA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA > SSLProtocol all -SSLv2 -SSLv3 > SSLCompression off > SSLHonorCipherOrder on > This certainly works. > > If you're processing credit cards SSLProtocol will need to be expanded to > "-SSLv2 -SSLv3 -TLSv1" by 2016/07 (for PCI compliance) and if you have > good reason to be paranoid and all of your clients are up-to-date, add > "-TLSv1.1". And there's the rub. TLS1 is known to be weak, susceptible to Poodle (so is 1.1 as I understand it, and I'd love to turn it off. Unfortunately, that's exactly what the FreeBSD ports mechanism wants to use to get port sources as best as I can determine. Everytime I do -TLS1, port fetches start to break. It there a plan, I wonder to move to TLS 1.2 and be done with this? -- ---------------------------------------------------------------------------- Tim Daneliuk tundra@tundraware.com PGP Key: http://www.tundraware.com/PGP/