Hi, there was a more recent comment from Infra that Apache no longer supports
TLS1.0 (and TLS1.1) per security recommendations. I suspect the code we are
using relies on TLS1.0. I wrote a simple test harness this morning and we
cannot access any files on www.a.o/dist over HTTPS, but we can on
fpdownloads.macromedia.com. If you have a server that no longer supports
TLS1.0, I can post the example and you can try it on that server and see if the
code gets stuck there as well.
So this means that if some day Adobe also drops TLS1.0 support (which it
should) then this same code will start to fail to download the Adobe code.
I've been unable to figure out from our archives why we chose to use our own
HTTPS handling code in the first place. Does anybody remember? I seem to
recall we had lots of failures downloading third-party files. There was also
an issue with AIR relying on IE settings on Windows. I'm trying to understand
if we switch to using AIR's SecureSocket for TLS support whether that also uses
IE settings.
I think my next step is to try to find sources for the current code and see
where it gets stuck.
My 2 cents,
-Alex
On 6/13/18, 12:27 AM, "Piotr Zarzycki" <piotrzarzyck...@gmail.com> wrote:
FYI, I just tried suggestion from Henk in infra comments and it's failed as
well.
Thanks,
Piotr
wt., 12 cze 2018 o 09:28 Piotr Zarzycki <piotrzarzyck...@gmail.com>
napisał(a):
> Ok Let's wait to their answer. Thanks!
>
> wt., 12 cze 2018 o 09:19 Alex Harui <aha...@adobe.com.invalid> napisał(a):
>
>> I decided to ask Infra
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FINFRA-16640&data=02%7C01%7Caharui%40adobe.com%7C333a36f4a7f84a07e3a908d5d0ff12c7%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636644716304449784&sdata=9k3t3GcBqURaNt5M5v6pIawviZx%2F4DnkJ5h4m9BAo9s%3D&reserved=0
>>
>> I also saw this:
>>
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblog.pcisecuritystandards.org%2Fare-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls&data=02%7C01%7Caharui%40adobe.com%7C333a36f4a7f84a07e3a908d5d0ff12c7%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636644716304449784&sdata=kymNLcXx0IihC6pdzrNLoGSdHPEc86ckVpzJwXN3DcM%3D&reserved=0
>>
>> I'm wondering if the HTTPS code in the installer can handle the latest
>> TLS. The notes for the code we use says "partial TLS1.0 implementation".
>>
>> Thoughts?
>> -Alex
>>
>> On 6/11/18, 9:43 PM, "Alex Harui" <aha...@adobe.com.INVALID> wrote:
>>
>> Because Rawgit could be a faster remedy than putting together a whole
>> new release.
>>
>> However, before we go that route, we need to verify that the
>> Installer can in fact download over HTTPS from the rawgit server. My
>> understanding from this thread is that HTTPS may be working on some
servers
>> but not others?
>>
>> -Alex
>>
>> On 6/11/18, 9:03 PM, "Justin Mclean" <jus...@classsoftware.com>
>> wrote:
>>
>> Hi,
>>
>> Do we really want to go with a service that states "this is a
>> free service,
>> so there are no uptime or support guarantees.". I not sure we
>> even have an
>> issue with downloading the binary connivance releases so why do
>> we need to
>> move them from where they currently are?
>>
>> Justin
>>
>> On Tue, Jun 12, 2018 at 12:05 PM, OmPrakash Muppirala <
>> bigosma...@gmail.com>
>> wrote:
>>
>> > Rawgit might be a good option for us:
>>
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Frawgit.com%2F&data=02%7C01%7Caharui%40adobe.com%7Ce1271815ffce4da34b4308d5d0197f62%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643730289596335&sdata=3GuiC1GhJIPPW3LowsPOUNtYobe%2FS3SvUhPqj%2FNFQl8%3D&reserved=0
>> >
>> > If no one has objections, I can set this up.
>> >
>> > Thanks,
>> > Om
>> >
>> > On Mon, Jun 11, 2018, 5:12 PM Alex Harui
>> <aha...@adobe.com.invalid> wrote:
>> >
>> > > Also, I think if we can find a volunteer to host the entire
>> binary folder
>> > > (and thus pay the bandwidth costs) that will solve the
>> problem without
>> > > requiring an update to the installer.
>> > >
>> > > My 2 cents,
>> > > -Alex
>> > >
>> > > On 6/11/18, 5:05 PM, "Alex Harui" <aha...@adobe.com.INVALID>
>> wrote:
>> > >
>> > > Hmm. Are you proposing a new release of the installer?
>> The location
>> > > of the apache-flex-sdk-installer-config.xml is supposed to be
>> > > release-specific. Each release can have its own version in
>> case we need
>> > to
>> > > change steps in the release, so I don't think we want to
>> hardcode it to
>> > the
>> > > URL you are using for testing.
>> > >
>> > > Did you say that if you use https to access this file on
>> our website
>> > > that it also fails? I find that really interesting if you
>> are also
>> > saying
>> > > that the install does complete if we use https to download
>> some of the
>> > > artifacts like AIR29. Can you verify that this is only an
>> issue for
>> > > hitting apache.org sites via HTTPS and make sure your AIR29
>> didn't come
>> > > out of the download cache?
>> > >
>> > > If it is an HTTPS for apache.org only, I think we want
>> to understand
>> > > why and build a really small test case to show Infra.
>> Because if they
>> > made
>> > > a config change on apache.org/dist, if one of the other
>> places we
>> > > download from make the same change we will be stuck again.
>> > >
>> > > Thoughts?
>> > > -Alex
>> > >
>> > > On 6/11/18, 1:25 PM, "Piotr Zarzycki" <
>> piotrzarzyck...@gmail.com>
>> > > wrote:
>> > >
>> > > I simply placed link here [1].
>> > >
>> > > APACHE_FLEX_BIN_INSTALLER_URL =
>> > > "
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fapache-flex-sdk-
>> > installer-config.xml&data=02%7C01%7Caharui%40adobe.com%
>> >
>> 7Ceda63602f32e4a98d35f08d5cfd97c84%7Cfa7b1b5a7b34438794aed2c178de
>> >
>> cee1%7C0%7C0%7C636643455386260834&sdata=8%2FKeViaRU2QlsM%2BDVqI9%
>> > 2B5VwFRaoR3cYywVPiD8iiI4%3D&reserved=0
>> > > "
>> > >
>> > >
>> > > [1]
>> > >
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbit.ly%
>> > 2F2JC5dcX&data=02%7C01%7Caharui%40adobe.com
>> %7Ceda63602f32e4a98d35f08d5cfd9
>> > 7c84%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C1%
>> > 7C636643455386260834&sdata=k3wKVwi2OH9dwPoTXlvYz4gKQnNs85
>> > II6JxH7GUSMPE%3D&reserved=0
>> > >
>> > > pon., 11 cze 2018 o 22:10 Alex Harui
>> <aha...@adobe.com.invalid>
>> > > napisał(a):
>> > >
>> > > > But what code knew to start looking at the website
>> instead of
>> > > dist?
>> > > > Didn't something else need to change? I'm trying
>> to understand
>> > > all of the
>> > > > pieces.
>> > > >
>> > > > -Alex
>> > > >
>> > > > On 6/11/18, 12:34 PM, "Piotr Zarzycki" <
>> > > piotrzarzyck...@gmail.com> wrote:
>> > > >
>> > > > Alex,
>> > > >
>> > > > When we are trying to read following file [1],
>> we are
>> > > getting time out
>> > > > in
>> > > > installer. I moved that file to our website [2]
>> and locally
>> > > tested
>> > > > installer. - I got positive results. It's
>> started to work.
>> > > >
>> > > > [1]
>> > > >
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.apache.org%2Fdist%2Fflex%2F4.16.1%
>> > 2Fbinaries%2Fapache-flex-sdk-installer-config.xml&data=02%
>> > 7C01%7Caharui%40adobe.com%7C8cf556e5bf954296e05908d5cfd26258%
>> >
>> 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643424854057105&sdata=
>> > WaA3FpmHKJuhJI5Dpvxy6gfIBXOYBNg862fzTpLSucQ%3D&reserved=0
>> > > > [2]
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fapache-flex-sdk-
>> > installer-config.xml&data=02%7C01%7Caharui%40adobe.com%
>> >
>> 7C8cf556e5bf954296e05908d5cfd26258%7Cfa7b1b5a7b34438794aed2c178de
>> > cee1%7C0%7C0%7C636643424854057105&sdata=nRM0G2Vsc3uVg9sg3SEiF%
>> > 2FnKzmO34dUJACfhl47MbEc%3D&reserved=0
>> > > >
>> > > > Thanks,
>> > > > Piotr
>> > > >
>> > > > pon., 11 cze 2018 o 17:24 Alex Harui
>> > > <aha...@adobe.com.invalid>
>> > > > napisał(a):
>> > > >
>> > > > > I think I'm lost. The commit message shows
>> that one file
>> > > was added
>> > > > to our
>> > > > > site. What file is pointing to it and how
>> did it know to
>> > > look at
>> > > > our site?
>> > > > >
>> > > > > -Alex
>> > > > >
>> > > > > On 6/11/18, 12:58 AM, "Piotr Zarzycki" <
>> > > piotrzarzyck...@gmail.com>
>> > > > wrote:
>> > > > >
>> > > > > I moved file on our website [1] and it's
>> working. If
>> > I
>> > > change it
>> > > > to
>> > > > > https
>> > > > > we have time out issue as well. When file
>> was used
>> > > from my
>> > > > server I
>> > > > > also
>> > > > > used https and it was working.
>> > > > >
>> > > > > Can we just use that location [1] and we
>> will have
>> > > installer
>> > > > working ?
>> > > > >
>> > > > > [1]
>> > > > >
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fapache-flex-sdk-
>> > installer-config.xml&data=02%7C01%7Caharui%40adobe.com%
>> >
>> 7C4d8ae8042ed840e0cd9908d5cf712b17%7Cfa7b1b5a7b34438794aed2c178de
>> >
>> cee1%7C0%7C0%7C636643007320096225&sdata=YmowJViVHdhqCrxcGSZLg%2BYY86G%
>> > 2BsbJCAqsYkcOWEHw%3D&reserved=0
>> > > > >
>> > > > > Thanks,
>> > > > > Piotr
>> > > > >
>> > > > > pon., 11 cze 2018 o 09:31 Justin Mclean <
>> > > > jus...@classsoftware.com>
>> > > > > napisał(a):
>> > > > >
>> > > > > > No I'm not suggesting that. AFAIK it's
>> only the
>> > > config text
>> > > > file
>> > > > > that Prior
>> > > > > > wants to host.
>> > > > > >
>> > > > > > On Mon., 11 Jun. 2018, 8:47 am Alex
>> Harui,
>> > > > <aha...@adobe.com.invalid
>> > > > > >
>> > > > > > wrote:
>> > > > > >
>> > > > > > > Justin,
>> > > > > > >
>> > > > > > > Are you suggesting that we distribute
>> a binary
>> > > artifact from
>> > > > our
>> > > > > project
>> > > > > > > website? Do other projects do that?
>> > > > > > >
>> > > > > > > -Alex
>> > > > > > >
>> > > > > > > On 6/10/18, 10:27 PM, "Justin Mclean"
>> <
>> > > > jus...@classsoftware.com>
>> > > > > wrote:
>> > > > > > >
>> > > > > > > Hi,
>> > > > > > >
>> > > > > > > > I'm talking about that file
>> [1]. What kind
>> > > of security
>> > > > > issues do
>> > > > > > you
>> > > > > > > > exactly see if I move that file
>> on my
>> > server
>> > > ?
>> > > > > > >
>> > > > > > > Well if someone changed the paths
>> in those
>> > > files, our
>> > > > users
>> > > > > could
>> > > > > > > unwitting be made to download walware
>> or other
>> > > stuff. Risk is
>> > > > > probably
>> > > > > > low
>> > > > > > > but I have no details on the server
>> this file is
>> > > going on,
>> > > > for
>> > > > > instance
>> > > > > > it
>> > > > > > > it a dedicated server or one that
>> contains shared
>> > > hosts for
>> > > > > instance.
>> > > > > > What
>> > > > > > > other services are running on this
>> server? How is
>> > > the file
>> > > > > > uloaded/updated
>> > > > > > > on that server? What security is in
>> place to stop
>> > > others
>> > > > modifying
>> > > > > that
>> > > > > > > file? If it located in Poland is that
>> going to
>> > > cause
>> > > > performance
>> > > > > issues
>> > > > > > for
>> > > > > > > people outside of Europe? What
>> happens if the
>> > > server falls
>> > > > overs
>> > > > > can
>> > > > > > > someone on the PMC restart it? Will
>> the rest of
>> > > the PMC have
>> > > > > access to
>> > > > > > this
>> > > > > > > server? Might be best to answer on
>> the private
>> > > list if you
>> > > > don’t
>> > > > > want
>> > > > > > > details about your server made
public.
>> > > > > > >
>> > > > > > > Perhaps a better solution would
>> be to host
>> > > them on the
>> > > > Apache
>> > > > > Flex
>> > > > > > > website as currently we do for [1]
>> which the
>> > > installer gets.
>> > > > Is it
>> > > > > too
>> > > > > > hard
>> > > > > > > to have a
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > http%3A%2F%2Fflex.apache.org%2Finstaller%2FXXX%2Fsdk-
>> > installer-config-4.0.xml&data=02%7C01%7Caharui%40adobe.com%
>> >
>> 7Cbe3b60c824884a383f7d08d5cf5c1704%7Cfa7b1b5a7b34438794aed2c178de
>> >
>> cee1%7C0%7C0%7C636642916791710330&sdata=CUrCENwFIuMoAtvJnjoNXT9o41rbsX
>> > GXojcwa5QH%2Bys%3D&reserved=0
>> > > > > > ,
>> > > > > > > were XXX if the flex version number
>> as well?
>> > Given
>> > > the issue
>> > > > is
>> > > > > only with
>> > > > > > > 4.16.0 and 4.16.1that’s only two
>> files we would
>> > > need to host
>> > > > > there. That
>> > > > > > > way access and security are handled
>> by ASF
>> > > infrastructure
>> > > > and we
>> > > > > don’t
>> > > > > > have
>> > > > > > > to worry about them.
>> > > > > > >
>> > > > > > > Thanks,
>> > > > > > > Justin
>> > > > > > >
>> > > > > > > 1.
>> > > > > > >
>> > > > > >
>> > > > >
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > http%3A%2F%2Fflex.apache.org%2Finstaller%2Fsdk-installer-
>> > config-4.0.xml&data=02%7C01%7Caharui%40adobe.com%
>> >
>> 7Cbe3b60c824884a383f7d08d5cf5c1704%7Cfa7b1b5a7b34438794aed2c178de
>> >
>> cee1%7C0%7C0%7C636642916791710330&sdata=2ld9NbW8Uar2ARRbaXv14uQ1cNN2U2
>> > ZIxWjqpnJdqX0%3D&reserved=0
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > > >
>> > > > > >
>> > > > >
>> > > > >
>> > > > > --
>> > > > >
>> > > > > Piotr Zarzycki
>> > > > >
>> > > > > Patreon: *
>> > > > >
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%
>> > 7Caharui%40adobe.com%7C4d8ae8042ed840e0cd9908d5cf712b17%
>> >
>> 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643007320096225&sdata=
>> > v5vx417pobFqInf08DbisQPeFu%2FU0WyzufbVEL%2F%2B2Ho%3D&reserved=0
>> > > > > <
>> > > > >
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%
>> > 7Caharui%40adobe.com%7C4d8ae8042ed840e0cd9908d5cf712b17%
>> >
>>
7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643007320106230&sdata=S3Q%
>> > 2FNmTpKKkr9oEtYLfIDNZvz7pYHcQyeiuVF7cPLq0%3D&reserved=0
>> > > > > >*
>> > > > >
>> > > > >
>> > > > >
>> > > >
>> > > > --
>> > > >
>> > > > Piotr Zarzycki
>> > > >
>> > > > Patreon: *
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%
>> > 7Caharui%40adobe.com%7C8cf556e5bf954296e05908d5cfd26258%
>> >
>> 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643424854057105&sdata=
>> > 6rndu7V2f8DYDeQLB0kpqtXWYJvKZDIu3l%2Ba8bS9A2A%3D&reserved=0
>> > > > <
>> > > >
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%
>> > 7Caharui%40adobe.com%7C8cf556e5bf954296e05908d5cfd26258%
>> >
>> 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643424854057105&sdata=
>> > 6rndu7V2f8DYDeQLB0kpqtXWYJvKZDIu3l%2Ba8bS9A2A%3D&reserved=0
>> > > > >*
>> > > >
>> > > >
>> > > >
>> > >
>> > > --
>> > >
>> > > Piotr Zarzycki
>> > >
>> > > Patreon: *
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%
>> > 7Caharui%40adobe.com%7Ceda63602f32e4a98d35f08d5cfd97c84%
>> >
>> 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643455386270844&sdata=
>> > 8w9EuvBjYmQwQQ4Cwc3ipeQLEaa8EvxrbPVtRETuTNM%3D&reserved=0
>> > > <
>> > > https://na01.safelinks.protection.outlook.com/?url=
>> > https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%
>> > 7Caharui%40adobe.com%7Ceda63602f32e4a98d35f08d5cfd97c84%
>> >
>> 7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636643455386270844&sdata=
>> > 8w9EuvBjYmQwQQ4Cwc3ipeQLEaa8EvxrbPVtRETuTNM%3D&reserved=0
>> > > >*
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>>
>>
>>
>>
>>
>
> --
>
> Piotr Zarzycki
>
> Patreon:
*https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%7Caharui%40adobe.com%7C333a36f4a7f84a07e3a908d5d0ff12c7%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636644716304449784&sdata=R6fU8ShBoJCC8zep1%2FO%2Bsbhx8sV5HMs2v30fT%2BmMWFQ%3D&reserved=0
>
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%7Caharui%40adobe.com%7C333a36f4a7f84a07e3a908d5d0ff12c7%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636644716304449784&sdata=R6fU8ShBoJCC8zep1%2FO%2Bsbhx8sV5HMs2v30fT%2BmMWFQ%3D&reserved=0>*
>
--
Piotr Zarzycki
Patreon:
*https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%7Caharui%40adobe.com%7C333a36f4a7f84a07e3a908d5d0ff12c7%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636644716304449784&sdata=R6fU8ShBoJCC8zep1%2FO%2Bsbhx8sV5HMs2v30fT%2BmMWFQ%3D&reserved=0
<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.patreon.com%2Fpiotrzarzycki&data=02%7C01%7Caharui%40adobe.com%7C333a36f4a7f84a07e3a908d5d0ff12c7%7Cfa7b1b5a7b34438794aed2c178decee1%7C0%7C0%7C636644716304449784&sdata=R6fU8ShBoJCC8zep1%2FO%2Bsbhx8sV5HMs2v30fT%2BmMWFQ%3D&reserved=0>*
