| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL WWW <pgsql-www(at)lists(dot)postgresql(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Subject: | Re: buildfarm server suddenly not talking to old SSL stacks? |
| Date: | 2018-07-17 18:44:49 |
| Message-ID: | CABUevEwYfaKdmst7RjcvML2+HfQv3bjXmUGXYAALabM0fnd4yg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
On Tue, Jul 17, 2018 at 8:41 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Tue, Jul 17, 2018 at 8:18 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> The results on dromedary are even more interesting:
> >>
> >> $ perl -MLWP::Simple -MLWP::Protocol::https -e 'LWP::Simple::getprint("
> >> http://buildfarm.postgresql.org/branches_of_interest.txt");'
> >> 500 Can't connect to buildfarm.postgresql.org:80 (No route to host)
> <URL:
> >> http://buildfarm.postgresql.org/branches_of_interest.txt>
>
> > Yeah, that part is super weird. Do we know if that worked before? Or has
> it
> > been using https for a while?
>
> It looks like I installed Perl https support on that machine on
> 2017-01-14, so I'd guess dromedary has been using https since then.
>
So it could be something else. I have no idea what it would be though,
since port 80 seems to work from elsewhere.
>> I can probably restore these machines to functionality by updating
> >> whichever Perl module knows about TLS (anyone know which that is?),
> >> so if you want to undo the config change, it's OK by me. But other
> >> owners of ancient buildfarm critters might be less happy about it.
>
> > I think what you'd need is a new version of openssl.
>
> Yeah, I'd just come to that conclusion after researching things a bit
> (although it looks like IO::Socket:SSL has some relevant fixes too).
>
> > But it might be hard to get in on all of them. Let's see if we can turn
> off
> > the restriction for a while, and see if the other BF animals also
> recover.
>
> The bigger issue here is that if we force buildfarm members to run
> openssl >= x.y, I'd say that's tantamount to desupporting openssl < x.y.
> Are we ready to desupport versions that don't have TLS 1.2? I think
> that might well be reasonable to do in HEAD, but I'm less enthused about
> it for the back branches.
>
Yeah, that's definitely a bigger problem.
We could always use http for those and not https. But surely that's *worse*
than using a https that's considered insecure. Completely skipping it must
be worse... And I don't think separating out the site into "submissions can
do 1.0 but viewers can only do 1.2+" is reasonable, not given that the only
things that actually passes credentials *are* the submissions.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2018-07-17 18:58:25 | Re: buildfarm server suddenly not talking to old SSL stacks? |
| Previous Message | Tom Lane | 2018-07-17 18:41:17 | Re: buildfarm server suddenly not talking to old SSL stacks? |