On Jun 1, 2015, at 4:33 PM, Tim Daneliuk <tun...@tundraware.com> wrote: > Recently, I switched a web server here to to rewriting and force every access > to go over https. This is a machine using self-signed certs and a fairly > conservative set of protocol support. Apache's cipher suite is set to this: > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:-SSLv3:-SSLv2 > > These settings were derived from doing some reading and testing with SSL Labs > test site > and - thus far - I have seen no complaints except from the FreeBSD ports > fetch. I am > getting grumpy emails from the master ports sites: > > => tsshbatch-1.212.tar.gz doesn't seem to exist in /portdistfiles/. > => Attempting to fetch > http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz > fetch: http://distcache.FreeBSD.org/ports-distfiles/tsshbatch-1.212.tar.gz: > Not Found > => Attempting to fetch > http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz > 72047:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert > handshake > failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:593: > fetch: http://www.tundraware.com/Software/tsshbatch/tsshbatch-1.212.tar.gz: > Authentication error > => Couldn't fetch it - please try to retrieve this > => port manually into /portdistfiles/ and try again. > *** [do-fetch] Error code 1
The Qualsys scanner is informative: https://www.ssllabs.com/ssltest/analyze.html?d=tundraware.com You've disabled SSLv2 & v3, TLS 1.0 & 1.1, and enough of the standard ciphers that only something which supports the newest ECDHE / GCM variants will likely be able to connect. If you want the majority of clients to be able to connect, you'll need to offer TLS_RSA_WITH_AES_128_CBC_SHA in addition to TLS_RSA_WITH_AES_128_CBC_SHA256 and/or TLS_RSA_WITH_AES_256_CBC_SHA in addition to TLS_RSA_WITH_AES_256_CBC_SHA256. Regards, -- -Chuck _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
