4:40 p.m.
Firefox detected problems browsing to https://koji.rpmfusion.org,
which I could add an exception for.
But I get SSL_ERROR_HANDSHAKE_FAILURE_ALERT for
https://koji.rpmfusion.org/koji/login
Barry
4:25 p.m.
On 06/22/2016 10:40 AM, Barry Scott wrote:
Firefox detected problems browsing to https://koji.rpmfusion.org,
which I could add an exception for.
But I get SSL_ERROR_HANDSHAKE_FAILURE_ALERT for
https://koji.rpmfusion.org/koji/login
Barry
I get the same thing after accepting the self signed certificate.
Secure Connection Failed
An error occurred during a connection to koji.rpmfusion.org. SSL peer was
unable to negotiate an acceptable set of security parameters. Error code:
SSL_ERROR_HANDSHAKE_FAILURE_ALERT
The page you are trying to view cannot be shown because the authenticity
of the received data could not be verified.
Please contact the website owners to inform them of this problem.
Time for a Let's Encrypt certificate and to tighten up the SSL settings on the
server it seems.
https://www.ssllabs.com/ssltest/analyze.html?d=koji.rpmfusion.org&latest
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
4:41 p.m.
On Mon, 27 Jun 2016 10:25:56 -0600
Orion Poplawski wrote:
Secure Connection Failed
A lot of older browsers have been failing recently on https
web sites because the newer apache refuses to speak many
of the older encryption protocols (I guess the same group
that did in all the encryption algorithms in sshd got
to these too).
Don't know if that is what is going on with koji, but
it might be. (I'm not actually sure how to tell).
4:54 p.m.
Am 27.06.2016 um 18:41 schrieb Tom Horsley:
On Mon, 27 Jun 2016 10:25:56 -0600
Orion Poplawski wrote:
> Secure Connection Failed
A lot of older browsers have been failing recently on https
web sites because the newer apache refuses to speak many
of the older encryption protocols (I guess the same group
that did in all the encryption algorithms in sshd got
to these too).
Don't know if that is what is going on with koji, but
it might be. (I'm not actually sure how to tell)
Cipher Suites (sorted by strength as the server has no preference)
combined with RC4 sounds not like that
the only positive thing which can be said is SHA256 certs
is it *really* that hard to configure TLS proper?
SSLProtocol All -SSLv2 -SSLv3
SSLFIPS Off
SSLCompression Off
SSLInsecureRenegotiation Off
SSLSessionTickets Off
SSLHonorCipherOrder On
SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
___________________________________
is it really that hard to set "ServerTokens Prod" in the config instead
blowing out modules and versions?
[harry@srv-rhsoft:~]$ curl --head --insecure
https://koji.rpmfusion.org/koji/
HTTP/1.1 200 OK
Date: Mon, 27 Jun 2016 16:52:51 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4
mod_wsgi/3.4 Python/2.7.5
Content-Length: 11993
Allow: GET, POST, HEAD
AppTime: D=290432
AppServer: koji01.online.rpmfusion.net
Content-Type: text/html; charset=UTF-8
3099
days inactive
3104
days old
rpmfusion-users@lists.rpmfusion.org
3 comments
4 participants
participants (4)
-
Barry Scott -
Orion Poplawski -
Reindl Harald -
Tom Horsley