- removed comment
connection failures to svn.cactuscode.org
I am getting connection failures to svn.cactuscode.org using svn 1.9.7 on Debian buster (which is starting to phase out tls 1.0 and 1.1 support https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html). Namely I get:
ET_Hack$ svn checkout https://svn.cactuscode.org/projects/ExternalLibraries/zlib/ svn: E170013: Unable to connect to a repository at URL 'https://svn.cactuscode.org/projects/ExternalLibraries/zlib' svn: E120171: Error running context: An error occurred during SSL communication
and openssl shows:
ET_Hack$ openssl s_client -connect svn.cactuscode.org:443 CONNECTED(00000003) 140481992824064:error:14171102:SSL routines:tls_process_server_hello:unsupported protocol:../ssl/statem/statem_clnt.c:917: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 86 bytes and written 183 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1503529726 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
systems which still allow tls1.0 (eg the QueenBee login nodes) return
$ openssl s_client -connect svn.cactuscode.org:443 depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA verify return:1 depth=0 C = US, postalCode = 70803, ST = Louisiana, L = Baton Rouge, street = 110 Thomas Boyd, O = Louisiana State University, OU = LSU A & M, CN = svn.cactuscode.org verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cactuscode.org i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIGgDCCBWigAwIBAgIQHqWvzUQZraL+FC0Gui4TnTANBgkqhkiG9w0BAQsFADB2 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNTEyMDEwMDAwMDBaFw0xODExMzAy MzU5NTlaMIG3MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFNzA4MDMxEjAQBgNVBAgT CUxvdWlzaWFuYTEUMBIGA1UEBxMLQmF0b24gUm91Z2UxGDAWBgNVBAkTDzExMCBU aG9tYXMgQm95ZDEjMCEGA1UEChMaTG91aXNpYW5hIFN0YXRlIFVuaXZlcnNpdHkx EjAQBgNVBAsMCUxTVSBBICYgTTEbMBkGA1UEAxMSc3ZuLmNhY3R1c2NvZGUub3Jn MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA40EHmQwApNBq6wt6VyZ0 hWbeCpkOkYENmksB9kPtxzVSz0gK26nnPl68wyb3gTLN3qhfkH9rxlPNuQoo9L3q 5WnIAUrPgzz+afP/kXMzeUtD4GdKx4NhSFnOaVE8rimz2EiOAx7BC8uxfT+EOJ3i C07jwSKg8l+1M0SH1BQqjPK8HeVkfAP2jWQVBAThz/TMvs6P9w4yH8aKsUO2DpOw ocRUvEEvYd6cc4ouuJkhCkosw4NUHC5gCuuoJcVo8wuqR1F+aE8qvtG1CKNTkU6M 5QZgPcqQ4ENwM3SJTlSrWIsqebu24NDacmxc32K2CwLeBEQHM5YCKj1UAODAmtZB aBD3w7lVO0odunOWI+E/R9NARSpwyCBBCv43TDPDKp48Nmffaj7nhSRIl4hFxtTW FTC3rkoHL5fuSFWZBNVJDD7iYFsSovDUep9gAAd8szjQQdwdUTIY/ad/xFjS8UX+ Q6myUkLfBDnSQp2lMrDBYmrOBUacwMkFI4gJEyZpWA3RXAZloa8Mmopq8bHthgCN OjMDf7JAsXNo7OP7n3TIe52XVKtaYpK6OVpZelCaY7huYv/5+oZdqk0A4+ij5RBl 4GukstJQcLSErYiyheesAeSBwXMfQch57uhiB/bUL5W5lRE34Ru6gAckTt7E/Uji d9jAJ7K/ISCyp2qn9NDRtycCAwEAAaOCAcYwggHCMB8GA1UdIwQYMBaAFB4Fo3eP bJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBSuuHX667Gw/EAO8dHJCvbWxYzPHTAO BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggrBgEF BQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9yeS9j cHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2Ny bC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsG AQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3QuY29t L0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9v Y3NwLnVzZXJ0cnVzdC5jb20wHQYDVR0RBBYwFIISc3ZuLmNhY3R1c2NvZGUub3Jn MA0GCSqGSIb3DQEBCwUAA4IBAQA8RerhAuPvOngiT4cSmhtiFp+r+i4hXzKB3UwU J3mjgrOQz3AxbmW1A9CyMEPAxtAhM1GdPmSR8T/KeGEE5/We5uVO1SvFpSA8BmsC 7vjirkNLVMlrIrDM89uUwJi5m/i7yupqhoxdReuuz4NP8PJqzOWSaU4uSvU98/Jq 1K5m4dsFdB+cW4EnO70Qv3Htl7AZUZHCNhRvbmtilQcAa+wTTYzBtJFiQ/GufDd8 DSMAa4icWq80UDdilikkt4IiMsFyEHJ0R6Jwppf3VnWD2Z+AtM5wEY6/Z4Loy0nn G/yFK5/d8vXprdFI2D3kfEx7YyMldqUwsfeEmu8Lk5bd4zqN -----END CERTIFICATE----- subject=/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cactuscode.org issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA --- No client certificate CA names sent Server Temp Key: DH, 1024 bits --- SSL handshake has read 5565 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 02B9ECA6650E99DAB46E41D229C6B6317D5B6649DE5602AAACB85DDA3D4BCB7F Session-ID-ctx: Master-Key: 6A79D044DE035A170C384CFFD2AD5B15B5691D518F04597E9A2BA9ED4A14CE93A18B0AB3D9CF65EC73A913FA7AC364EB Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1503529970 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE
and only fail if tls1.2 is forced:
$ openssl s_client -connect svn.cactuscode.org:443 -tls1_2 CONNECTED(00000003) 47690330324936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 7 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1503530008 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
Is there any chance of having LSU update their webserver so that it offer tls 1.2 (around since August 2008)?
Note that chances are that Ubuntu (which branches off from Debian unstable regularly) will pick up this change soon affecting the majority of our new Linux ET users.
For Debian this is a blocker since it prevents me from even downloading the code.
Keyword: SSL
Comments (6)
-
reporter -
- changed status to open
- marked as
- assigned issue to
- removed comment
For Debian this is a blocker since it prevents me from even downloading the code.
To be fair, Debian Buster is the development version of Debian, not the stable version (reducing priority due to that, at least for the moment). But yes, this should be upgraded. The server is still on Redhat Tikanga 5.11, which is the main reason for the age of the tls used.
I've opened a ticket with IT support to have the machines OS upgraded. Steve is on CC for that. Also assigning to him.
-
- changed status to resolved
- removed comment
-
reporter - changed status to open
- removed comment
This is occurring again.
Trying to access svn.cactuscode.org from my Debian box (buster) fails with:
openssl s_client -connect svn.cactuscode.org:443 CONNECTED(00000005) 140630053196224:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 86 bytes and written 317 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
and on a machine that would work with that command line, this one:
openssl s_client -no_tls1 -connect svn.cactuscode.org:443
fails. Indicating that the server only supports tls1.
Since Frank had had this fixed more than a year ago, I wonder why this is happening again.
-
reporter Issue
#2415was marked as a duplicate of this issue. -
reporter This is really very annoying. The server also hosts the www repository behind https://cactuscode.org and right now, in order to fix typos in the posted Turing release date I noticed, I had to spin up a Debian Jessie VM just to get an old enough OpenSSL that will still talk to the ancient SSL library on svn.cactuscode.org.
#2387would at least take care of the most often updated repo. - Log in to comment
Oddly enough:
svn.cct.lsu.edu
works fine. I would have assumed that svn.cactuscode.org and svn.cct.lsu.edu eventually point to the same server.