[opensuse-buildservice] OBS is using new login auth proxy
JFYI, we switched to a new login proxy mechanism today: http://news.opensuse.org/2011/04/19/infrastructure-updates/ please report if you see unexpected changes. Let's hope that eastern is safe ;) adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tuesday 19 April 2011 14:17:14 Adrian Schröter wrote:
JFYI,
we switched to a new login proxy mechanism today:
http://news.opensuse.org/2011/04/19/infrastructure-updates/
please report if you see unexpected changes.
I got this on editing a .changes file in the webui: " Bad Gateway! The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /package/save_modified_file. Reason: Error reading from remote server If you think this is a server error, please contact the webmaster. Error 502 build.opensuse.org Tue Apr 19 15:42:48 2011 Apache/2.2.10 (Linux/SUSE) " HTH Will -- Will Stephenson, KDE Developer, openSUSE Boosters Team SUSE LINUX Products GmbH - Nürnberg - AG Nürnberg - HRB 16746 - GF: Markus Rex -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 19/04/11 10:47, Will Stephenson escribió:
On Tuesday 19 April 2011 14:17:14 Adrian Schröter wrote:
JFYI,
we switched to a new login proxy mechanism today:
http://news.opensuse.org/2011/04/19/infrastructure-updates/
please report if you see unexpected changes.
I got this on editing a .changes file in the webui: " Bad Gateway!
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request POST /package/save_modified_file.
Reason: Error reading from remote server
If you think this is a server error, please contact the webmaster.
Error 502
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration... -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL How should this line look like then ? Best, Jan-Simon -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 19/04/11 11:14, Jan-Simon Möller escribió:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
How should this line look like then ?
SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH SSLHonorCipherOrder on Also change/add that in the global configuration (ssl-global.conf) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Cristian Rodríguez wrote:
SSLHonorCipherOrder on
I thought about that one too but came to the conclusion to better not set it. Either side may have reasons to use a specific ordering, e.g. due to hardware acceleration for some algorithms. So unless the server has reasons to prefer an algorithm I wouldn't enforce the ordering on server side. Note that even with that option a client could still enforce any server supported algorithm by simply not offering anything else. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Jan-Simon Möller wrote:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
Something like this should work: https://build.opensuse.org/package/view_file?file=apache2-vhost-ssl.template&package=apache2&project=Apache That's more or less cosmetic though. More important (and usually even more broken) are the clients. Clients need to avoid offering weak methods and ciphers to avoid MITM. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 19/04/11 11:35, Ludwig Nussel escribió:
Jan-Simon Möller wrote:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
Something like this should work: https://build.opensuse.org/package/view_file?file=apache2-vhost-ssl.template&package=apache2&project=Apache
That's more or less cosmetic though. More important (and usually even more broken) are the clients. Clients need to avoid offering weak methods and ciphers to avoid MITM.
SSLHonorCipherOrder "When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead." that kinda worksaround the problem. :) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Dienstag, 19. April 2011, 16:35:58 schrieb Ludwig Nussel:
Jan-Simon Möller wrote:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
Something like this should work: https://build.opensuse.org/package/view_file?file=apache2-vhost-ssl.templat e&package=apache2&project=Apache
Added.
That's more or less cosmetic though. More important (and usually even more broken) are the clients. Clients need to avoid offering weak methods and ciphers to avoid MITM.
Yes, it would be best. Best, Jan-Simon -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Dienstag, 19. April 2011, 16:35:58 schrieb Ludwig Nussel:
Jan-Simon Möller wrote:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
Something like this should work: https://build.opensuse.org/package/view_file?file=apache2-vhost-ssl.templat e&package=apache2&project=Apache
--snip-- # SSL protocols # Supporting TLS only is adequate nowadays SSLProtocol all -SSLv2 -SSLv3 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # We disable weak ciphers by default. # See the mod_ssl documentation or "openssl ciphers -v" for a # complete list. --snip--
That's more or less cosmetic though. More important (and usually even more broken) are the clients. Clients need to avoid offering weak methods and ciphers to avoid MITM.
cu Ludwig
Ok, in conjunction with the just posted patch to osc: --- a/osc/oscssl.py +++ b/osc/oscssl.py @@ -153,7 +153,7 @@ class ValidationErrors: class mySSLContext(SSL.Context): def __init__(self): - SSL.Context.__init__(self, 'sslv23') + SSL.Context.__init__(self, 'tlsv1') self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2) # m2crypto does this for us but better safe than sorry self.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT) self.verrs = None and the above "-SSLv2 -SSLv3" , we lock out old clients! Thats no good. Thus we might have to allow v3 at least for a grace period ? Best, Jan-Simon -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Jan-Simon Möller wrote:
Ok, in conjunction with the just posted patch to osc: --- a/osc/oscssl.py +++ b/osc/oscssl.py @@ -153,7 +153,7 @@ class ValidationErrors: class mySSLContext(SSL.Context):
def __init__(self): - SSL.Context.__init__(self, 'sslv23') + SSL.Context.__init__(self, 'tlsv1') self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2) # m2crypto does this for us but better safe than sorry self.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT) self.verrs = None
and the above "-SSLv2 -SSLv3" , we lock out old clients! Thats no good. Thus we might have to allow v3 at least for a grace period ?
No, see reply to the patch. 'sslv23' doesn't mean old clients only used SSLv3. The name is misleading. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
That has an unexpected side effect. Selecting TLS 1.0 explictly will make openssl only accept that and nothing else. Ie would reject TLS 1.1 or any other newer version. Contrary to what the name suggests SSLv23_client_method does support TLS, any version. It automatically accepts the best version available. So to force TLS only use SSLv23_client_method() and disable SSLv2 and SSLv3 :-) That's exactly what the proposed apache config SSLProtocol all -SSLv2 -SSLv3 internally does too.
cu Ludwig
Holy crap !! It doesnt get more tricky than SSL it seems :-D and yes, of course you are right, it is documented that way. damn =) So flags SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3 might used or not in the case if SSLv3 and V2 are disabled in the server openSSL has no choice but TLS..I get it now.. Cheers. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 19/04/11 11:14, Jan-Simon Möller escribió:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
How should this line look like then ?
Also take a look at this http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
El 19/04/11 11:14, Jan-Simon Möller escribió:
Am Dienstag, 19. April 2011, 15:59:08 schrieb Cristian Rodríguez:
Yes, it is unstable atm, also, it allows SSLv2 ! looks like someone forgot to disable it in the vhost configuration...
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP: +eNULL
How should this line look like then ?
Still SSlv2 is enabled, including very weak ciphers /sslscan --renegotiation --no-failed login.opensuse.org cristian@linux-us4g _ ___ ___| |___ ___ __ _ _ __ / __/ __| / __|/ __/ _` | '_ \ \__ \__ \ \__ \ (_| (_| | | | | |___/___/_|___/\___\__,_|_| |_| sslscan version 1.8.3rc3 OpenSSL 1.0.0d 8 Feb 2011 Testing SSL server login.opensuse.org on port 443 TLS renegotiation: Secure session renegotiation supported Supported Server Cipher(s): Accepted SSLv2 168 bits DES-CBC3-MD5 Accepted SSLv2 128 bits RC2-CBC-MD5 Accepted SSLv2 128 bits RC4-MD5 Accepted SSLv2 56 bits DES-CBC-MD5 Accepted SSLv2 40 bits EXP-RC2-CBC-MD5 Accepted SSLv2 40 bits EXP-RC4-MD5 Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 256 bits CAMELLIA256-SHA Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 128 bits CAMELLIA128-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA Accepted SSLv3 56 bits DES-CBC-SHA Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted SSLv3 40 bits EXP-DES-CBC-SHA Accepted SSLv3 40 bits EXP-RC2-CBC-MD5 Accepted SSLv3 40 bits EXP-RC4-MD5 Accepted TLSv1 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits CAMELLIA256-SHA Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 128 bits CAMELLIA128-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA Accepted TLSv1 56 bits DES-CBC-SHA Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted TLSv1 40 bits EXP-DES-CBC-SHA Accepted TLSv1 40 bits EXP-RC2-CBC-MD5 Accepted TLSv1 40 bits EXP-RC4-MD5 Prefered Server Cipher(s): SSLv2 168 bits DES-CBC3-MD5 SSLv3 256 bits DHE-RSA-AES256-SHA TLSv1 256 bits DHE-RSA-AES256-SHA -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Dienstag, 19. April 2011, 15:47:13 schrieb Will Stephenson:
On Tuesday 19 April 2011 14:17:14 Adrian Schröter wrote:
JFYI,
we switched to a new login proxy mechanism today:
http://news.opensuse.org/2011/04/19/infrastructure-updates/
please report if you see unexpected changes.
I got this on editing a .changes file in the webui: " Bad Gateway!
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request POST /package/save_modified_file.
Reason: Error reading from remote server
If you think this is a server error, please contact the webmaster.
Error 502
This is currently caused due to some maintenance work to switch from lighttpd to apache passenger. Should get better now ... -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (5)
-
Adrian Schröter
-
Cristian Rodríguez
-
Jan-Simon Möller
-
Ludwig Nussel
-
Will Stephenson