On 06/01/2015 06:47 PM, Charles Swiger wrote: > On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <[email protected]> wrote: >> Recently, I switched a web server here to to rewriting and force every access >> to go over https. This is a machine using self-signed certs and a fairly >> conservative set of protocol support. Apache's cipher suite is set to this: >> >> SSLCipherSuite >> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2 >> >> These settings were derived from doing some reading and testing with SSL >> Labs test site >> and - thus far - I have seen no complaints except from the FreeBSD ports >> fetch. I am >> getting grumpy emails from the master ports sites: >> >> => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/. >> => Attempting to fetch >> http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz >> fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: >> Not Found >> => Attempting to fetch >> http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz >> 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert >> handshake >> failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593: >> fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: >> Authentication error >> => Couldn't fetch it - please try to retrieve this >> => port manually into /portdistfiles/ and try again. >> *** [do-fetch] Error code 1 > > The Qualsys scanner is informative: > > https://www.ssllabs.com/ssltest/analyze.html?d=tundraware.com > > You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers > that only > something which supports the newest ECDHE / GCM variants will likely be able > to connect. > > If you want the majority of clients to be able to connect, you'll need to > offer > TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 > and/or > TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256. > > Regards, >
Thanks Chuck. I was being ultra paranoid when I did this and lifted this config from somewhere SSL Labs sent me to as I recall. I've added the 256 bit AES ciphers back in. Hopefully, the noise will go away now. I appreciate your prompt response. -- ---------------------------------------------------------------------------- Tim Daneliuk [email protected] PGP Key: http://www.tundraware.com/PGP/ _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "[email protected]"
