Modify

Opened 17 months ago

Last modified 2 months ago

#2069 reopened defect

connection failures to svn.cactuscode.org

Reported by: Roland Haas Owned by: Steven R. Brandt
Priority: major Milestone:
Component: EinsteinToolkit website Version: development version
Keywords: SSL Cc:

Description

I am getting connection failures to svn.cactuscode.org using svn 1.9.7 on Debian buster (which is starting to phase out tls 1.0 and 1.1 support https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html). Namely I get:

ET_Hack$ svn checkout https://svn.cactuscode.org/projects/ExternalLibraries/zlib/
svn: E170013: Unable to connect to a repository at URL 'https://svn.cactuscode.org/projects/ExternalLibraries/zlib'
svn: E120171: Error running context: An error occurred during SSL communication

and openssl shows:

ET_Hack$ openssl s_client -connect svn.cactuscode.org:443
CONNECTED(00000003)
140481992824064:error:14171102:SSL routines:tls_process_server_hello:unsupported protocol:../ssl/statem/statem_clnt.c:917:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 86 bytes and written 183 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503529726
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

systems which still allow tls1.0 (eg the QueenBee login nodes) return

$ openssl s_client -connect svn.cactuscode.org:443
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 70803, ST = Louisiana, L = Baton Rouge, street = 110 Thomas Boyd, O = Louisiana State University, OU = LSU A & M, CN = svn.cactuscode.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cactuscode.org
   i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGgDCCBWigAwIBAgIQHqWvzUQZraL+FC0Gui4TnTANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNTEyMDEwMDAwMDBaFw0xODExMzAy
MzU5NTlaMIG3MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFNzA4MDMxEjAQBgNVBAgT
CUxvdWlzaWFuYTEUMBIGA1UEBxMLQmF0b24gUm91Z2UxGDAWBgNVBAkTDzExMCBU
aG9tYXMgQm95ZDEjMCEGA1UEChMaTG91aXNpYW5hIFN0YXRlIFVuaXZlcnNpdHkx
EjAQBgNVBAsMCUxTVSBBICYgTTEbMBkGA1UEAxMSc3ZuLmNhY3R1c2NvZGUub3Jn
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA40EHmQwApNBq6wt6VyZ0
hWbeCpkOkYENmksB9kPtxzVSz0gK26nnPl68wyb3gTLN3qhfkH9rxlPNuQoo9L3q
5WnIAUrPgzz+afP/kXMzeUtD4GdKx4NhSFnOaVE8rimz2EiOAx7BC8uxfT+EOJ3i
C07jwSKg8l+1M0SH1BQqjPK8HeVkfAP2jWQVBAThz/TMvs6P9w4yH8aKsUO2DpOw
ocRUvEEvYd6cc4ouuJkhCkosw4NUHC5gCuuoJcVo8wuqR1F+aE8qvtG1CKNTkU6M
5QZgPcqQ4ENwM3SJTlSrWIsqebu24NDacmxc32K2CwLeBEQHM5YCKj1UAODAmtZB
aBD3w7lVO0odunOWI+E/R9NARSpwyCBBCv43TDPDKp48Nmffaj7nhSRIl4hFxtTW
FTC3rkoHL5fuSFWZBNVJDD7iYFsSovDUep9gAAd8szjQQdwdUTIY/ad/xFjS8UX+
Q6myUkLfBDnSQp2lMrDBYmrOBUacwMkFI4gJEyZpWA3RXAZloa8Mmopq8bHthgCN
OjMDf7JAsXNo7OP7n3TIe52XVKtaYpK6OVpZelCaY7huYv/5+oZdqk0A4+ij5RBl
4GukstJQcLSErYiyheesAeSBwXMfQch57uhiB/bUL5W5lRE34Ru6gAckTt7E/Uji
d9jAJ7K/ISCyp2qn9NDRtycCAwEAAaOCAcYwggHCMB8GA1UdIwQYMBaAFB4Fo3eP
bJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBSuuHX667Gw/EAO8dHJCvbWxYzPHTAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggrBgEF
BQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9yeS9j
cHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2Ny
bC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsG
AQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3QuY29t
L0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9v
Y3NwLnVzZXJ0cnVzdC5jb20wHQYDVR0RBBYwFIISc3ZuLmNhY3R1c2NvZGUub3Jn
MA0GCSqGSIb3DQEBCwUAA4IBAQA8RerhAuPvOngiT4cSmhtiFp+r+i4hXzKB3UwU
J3mjgrOQz3AxbmW1A9CyMEPAxtAhM1GdPmSR8T/KeGEE5/We5uVO1SvFpSA8BmsC
7vjirkNLVMlrIrDM89uUwJi5m/i7yupqhoxdReuuz4NP8PJqzOWSaU4uSvU98/Jq
1K5m4dsFdB+cW4EnO70Qv3Htl7AZUZHCNhRvbmtilQcAa+wTTYzBtJFiQ/GufDd8
DSMAa4icWq80UDdilikkt4IiMsFyEHJ0R6Jwppf3VnWD2Z+AtM5wEY6/Z4Loy0nn
G/yFK5/d8vXprdFI2D3kfEx7YyMldqUwsfeEmu8Lk5bd4zqN
-----END CERTIFICATE-----
subject=/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cactuscode.org
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 5565 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 02B9ECA6650E99DAB46E41D229C6B6317D5B6649DE5602AAACB85DDA3D4BCB7F
    Session-ID-ctx: 
    Master-Key: 6A79D044DE035A170C384CFFD2AD5B15B5691D518F04597E9A2BA9ED4A14CE93A18B0AB3D9CF65EC73A913FA7AC364EB
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1503529970
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

and only fail if tls1.2 is forced:

$ openssl s_client -connect svn.cactuscode.org:443 -tls1_2
CONNECTED(00000003)
47690330324936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1503530008
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Is there any chance of having LSU update their webserver so that it offer tls 1.2 (around since August 2008)?

Note that chances are that Ubuntu (which branches off from Debian unstable regularly) will pick up this change soon affecting the majority of our new Linux ET users.

For Debian this is a blocker since it prevents me from even downloading the code.

Attachments (0)

Change History (4)

comment:1 Changed 17 months ago by Roland Haas

Oddly enough: svn.cct.lsu.edu works fine. I would have assumed that svn.cactuscode.org and svn.cct.lsu.edu eventually point to the same server.

$ openssl s_client -connect svn.cct.lsu.edu:443
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 70803, ST = Louisiana, L = Baton Rouge, street = 110 Thomas Boyd, O = Louisiana State University, OU = LSU A & M, CN = svn.cct.lsu.edu
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cct.lsu.edu
   i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGezCCBWOgAwIBAgIRAJMak4/cvvLqoIwOhGVpLSQwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTUwNjA5MDAwMDAwWhcNMTgwNjI1
MjM1OTU5WjCBtDELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTcwODAzMRIwEAYDVQQI
EwlMb3Vpc2lhbmExFDASBgNVBAcTC0JhdG9uIFJvdWdlMRgwFgYDVQQJEw8xMTAg
VGhvbWFzIEJveWQxIzAhBgNVBAoTGkxvdWlzaWFuYSBTdGF0ZSBVbml2ZXJzaXR5
MRIwEAYDVQQLDAlMU1UgQSAmIE0xGDAWBgNVBAMTD3N2bi5jY3QubHN1LmVkdTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANFnkaT5JngRJ6IZhiwTqR87
JKbSHgK0GtbCZqLj1wD1mSYwctGtncrpNDI/x+wLQxJJ8iNQyBPGXzS4yAQTB0rg
9pYitDP8MYGtqkJ8b2QNNLlr6nMiRfAAKbDlARGj9gywqYH+wZO5x+H3Y8zR5pRQ
INiMepwWzYg2BV7H6zHxCcigvvwgRPgWxvzzjubGpH4qMRutdGnnTBEAZKfqL31Z
KbESFCvaUAugxtRSJ13J7AYIMwwTaL5jGpSah8lbPeU81R/TIW44s18kR3Gn7p62
1vLrk0iwcvXggAztV2IWjOnkkYtiqiT7ERSjPMV9Ol1N8UcSoD3JsySx9VH2+B3i
YCxQQc6usijfX6ld5v8rtCZG5pLi8qZUPZ7JmhdPd95nugEgIYtWRe8oaOytljd3
1SmUJnRcb1qY3sAPKoDSxvLa+ZY5s14tVcsAycJg1rx4HPAnY21abiZZgdPN28KV
leqaabdxAFKU9/X1Uk1HhUr6dvhvHPZAU3KksGggqPb7HCF8wEffpEeKO7aMN88y
aXvT0nHPmpyqT4mPQeoWjT3Xdl1oKFvuEIjubQ1F7TMtBKz5qdJgHiojE3KYwP9d
7lBA2MKjrmVsKx6boLgmXfXnZjK3Y2LCffpLYgEtm255SJ95HSQEGF8ePLjuElh2
xafrF8fDwFA3v2glePoJAgMBAAGjggHDMIIBvzAfBgNVHSMEGDAWgBQeBaN3j2yW
4luHS6a0hqxxAAznODAdBgNVHQ4EFgQUVvsvJpMnqcAQsrGqPZdkrNR4SoowDgYD
VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUH
AgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3Bz
X3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwu
aW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEF
BQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9J
bkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
cC51c2VydHJ1c3QuY29tMBoGA1UdEQQTMBGCD3N2bi5jY3QubHN1LmVkdTANBgkq
hkiG9w0BAQsFAAOCAQEAmy0H1GJ4o/8EJf/r9K53SySwgCNiXAFkWEMxwzDif01q
QoLuNEGw9Wl8qLYIaLkVZSWL9iuqLfCUxk0Kyn6O+M6IkHXmIaQ+29yWAD00u+5n
T6b1kln6bDOm0lQsiHqg8YXRbg8rAqe7u0VC7x1WGF/ib+BA+rqCfTOtbd5tXy1w
OFCljplQGdJEgpCidMNxBPjOzadiE6GdTo4/jHvndERtm8sSAF7r8MVxVRwqOHkz
NHvB72hkna51ChwOm4dOHOEC+wTm1OxNyqCLJ0L++YrHD77IECaIJz3KV+kRNMuW
tWLY8FU4KGko0oGGRYTmcTYjae7E2vObo1KNjRPvvw==
-----END CERTIFICATE-----
subject=/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cct.lsu.edu
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6030 bytes and written 750 bytes
Verification: OK
---
New, TLSv1.2, Cipher is AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-GCM-SHA256
    Session-ID: 1B0AAEDAEB06597622A980F48AE8E15F87BB43306C0D26E38D208AB507525F6C
    Session-ID-ctx: 
    Master-Key: AB6584F77DE40B391759B6E26B6320F61A77B41E22DFFA005E9146D4BEBEA5FCC692773C13F3ECC09F27394C279689FB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8a 93 fa 3c 8f ab f1 6b-db 99 81 e4 7b aa 49 75   ...<...k....{.Iu
    0010 - 4a 7d ce d3 4e af da e1-53 71 82 d0 e0 a0 a5 3b   J}..N...Sq.....;
    0020 - bf f1 14 07 3a f9 58 75-f7 e3 94 2d 5b 77 c6 a9   ....:.Xu...-[w..
    0030 - ec 19 d5 79 5c 99 ed 6c-c1 7e c8 55 ba 5c 84 23   ...y\..l.~.U.\.#
    0040 - 47 0b fa bc 8b 1d bb a9-3d 90 d7 91 c8 0c 0a 80   G.......=.......
    0050 - 26 05 f7 97 96 58 69 25-a0 ef 77 82 12 00 d4 35   &....Xi%..w....5
    0060 - 7a c4 9a 9c 46 f6 fd 9a-ce cf e6 29 91 d9 f1 fb   z...F......)....
    0070 - 45 ce b9 fd 38 e6 05 f6-f3 11 1a 1c 59 a0 a5 dd   E...8.......Y...
    0080 - f4 26 5c f6 65 b8 1e 4c-7c f0 43 3f 19 15 67 95   .&\.e..L|.C?..g.
    0090 - cd fa e6 a1 41 64 9a a7-e1 b9 5e 97 d4 78 66 ee   ....Ad....^..xf.
    00a0 - d1 0e 58 61 55 e8 a5 d7-8b 23 3d cd cf f6 f5 78   ..XaU....#=....x
    00b0 - b2 9d 92 bb 16 c4 de 47-f8 eb e2 60 4c b0 e4 82   .......G...`L...

    Start Time: 1503956011
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
DONE

comment:2 Changed 17 months ago by Frank Löffler

Owner: set to Steven R. Brandt
Priority: blockermajor
Status: newassigned

For Debian this is a blocker since it prevents me from even downloading the code.

To be fair, Debian Buster is the development version of Debian, not the stable version (reducing priority due to that, at least for the moment). But yes, this should be upgraded. The server is still on Redhat Tikanga 5.11, which is the main reason for the age of the tls used.

I've opened a ticket with IT support to have the machines OS upgraded. Steve is on CC for that. Also assigning to him.

comment:3 Changed 12 months ago by Steven R. Brandt

Resolution: fixed
Status: assignedclosed

comment:4 Changed 2 months ago by Roland Haas

Resolution: fixed
Status: closedreopened

This is occurring again.

Trying to access svn.cactuscode.org from my Debian box (buster) fails with:

openssl s_client -connect svn.cactuscode.org:443
CONNECTED(00000005)
140630053196224:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 86 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

and on a machine that would work with that command line, this one:

openssl s_client -no_tls1 -connect svn.cactuscode.org:443

fails. Indicating that the server only supports tls1.

Since Frank had had this fixed more than a year ago, I wonder why this is happening again.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as reopened The owner will remain Steven R. Brandt.
Next status will be 'review'.
as The resolution will be set.
to The owner will be changed from Steven R. Brandt to the specified user.
The owner will be changed from Steven R. Brandt to anonymous.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.