On 18.11.2018 23:30, Don Lewis wrote:
> On 17 Nov, Pedro Lino wrote:
>>> On November 17, 2018 at 5:32 PM Andrea Pescetti <pesce...@apache.org> wrote:
>>> A nice additional benefit is that this gives us a simple way to 
>>> reproduce the bug, equivalent to the update notification.
>>>
>>> $ soffice https://ooo-updates.apache.org/index.html
>>> (this fails on Ubuntu, succeeds on Fedora)
>>>
>>> Note that
>>>
>>> $ soffice https://www.google.com/
>>> will work in all cases (so this is not an HTTPS bug per se) and
>>>
>>> $ soffice http://ooo-updates.apache.org/index.html
>>> will work in all cases (so this not a network issue but rather an SSL 
>>> issue).
>>>
>>> Now, debugging SSL issues is not easy, but can the people who don't get 
>>> updates at least confirm the three results above, i.e., that only the 
>>> first one fails?
>> Confirmed that only the first one fails.
>> I always get the message (even when it didn't fail to open the page) 
>>
>> Gtk-Message: Failed to load module "overlay-scrollbar"
>>
>> ** (soffice:10458): WARNING **: Unknown type: GailWindow
>>  
>>> Further tests show that problematic systems have issues with ASF sites 
>>> in HTTPS, like:
>>> $ soffice https://www.apache.org/ # Fails
>>> $ soffice http://www.apache.org/  # Succeeds
>>> $ soffice https://www.openoffice.org/ # Fails
>>> $ soffice http://www.openoffice.org/  # Succeeds
>>> $ soffice https://... # Succeeds for any site I put there, except ASF 
>>> sites, but I'd love to see a non-ASF example of a failing HTTPS site.
>> Confirmed. HTTPS links fail, HTTP succeed
> The HTTPS links all work for me with the FreeBSD port of 4.1.6.  One
> difference is that the FreeBSD port uses the system OpenSSL, currently
> 1.02p or newer.
>
> Does the Apache web server still support TLS version 1.0?  The old
> version of OpenSSL that we bundle with the Windows and Linux versions
> doesn't support anything newer than that.

It looks like you found the real problem:

$ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/
*   Trying 40.79.78.1...
...
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS alert, Server hello (2):
* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol version


Connection fails with options --tlsv1.0 and --tlsv1.1 but succeeds with
--tlsv1.2. Which is in fact a good thing; TLSv1 and TLSv1.1 both have
known security bugs.

It is usually a bad idea to bundle OpenSSL instead of using the
system-provided version; but if you do have to do that (e.g., on
Windows, which doesn't have it, or macOS, which has an ancient version),
at least use the latest 1.0.2 version, or even better, 1.1.0.

-- Brane


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org
For additional commands, e-mail: dev-h...@openoffice.apache.org

Reply via email to