From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, PostgreSQL WWW <pgsql-www(at)lists(dot)postgresql(dot)org>, Andrew Dunstan <andrew(at)dunslane(dot)net> |
Subject: | Re: buildfarm server suddenly not talking to old SSL stacks? |
Date: | 2018-07-17 18:22:56 |
Message-ID: | CABUevExOETVFPx+g2F57ZtZTnwFn4gHRaUAvCyqsZc6=sCCGCg@mail.gmail.com |
Views: | Whole Thread | Raw Message | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-www |
On Tue, Jul 17, 2018 at 8:18 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
> > On Tue, Jul 17, 2018 at 7:51 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
<snip>
>
> The results on dromedary are even more interesting:
>
> $ curl https://buildfarm.postgresql.org/branches_of_interest.txt
> REL9_3_STABLE
> REL9_4_STABLE
> REL9_5_STABLE
> REL9_6_STABLE
> REL_10_STABLE
> REL_11_STABLE
> HEAD
>
> (So, system keystore less out of date here...)
>
>
> $ perl -MLWP::Simple -MLWP::Protocol::https -e 'LWP::Simple::getprint("
> http://buildfarm.postgresql.org/branches_of_interest.txt");'
> 500 Can't connect to buildfarm.postgresql.org:80 (No route to host) <URL:
> http://buildfarm.postgresql.org/branches_of_interest.txt>
>
> $ perl -MLWP::Simple -MLWP::Protocol::https -e 'LWP::Simple::getprint("
> https://buildfarm.postgresql.org/branches_of_interest.txt");'
> REL9_3_STABLE
> REL9_4_STABLE
> REL9_5_STABLE
> REL9_6_STABLE
> REL_10_STABLE
> REL_11_STABLE
> HEAD
>
> I have no idea what to make of the fact that http: still fails with this
>
Yeah, that part is super weird. Do we know if that worked before? Or has it
been using https for a while?
> perl version. But I think we've conclusively proven that the problem with
> https: is down to these machines trying to use tlsv1.
> So the next question is what to do about it. Is tls < 1.2 officially
> deprecated these days, or was that configuration change just accidental?
>
It absolutely is. I actually thought we had already blocked that in the
*previous* setup, but clearly we hadn't :)
That said, the buildfarm doesn't really do things that are that sensitive.
So we can probably turn it off on that individual machine if we have to.
Right now our config management will flip the configuration right back
shortly, but I can probably get that sorted out pretty easily.
I can probably restore these machines to functionality by updating
> whichever Perl module knows about TLS (anyone know which that is?),
> so if you want to undo the config change, it's OK by me. But other
> owners of ancient buildfarm critters might be less happy about it.
>
I think what you'd need is a new version of openssl.
But it might be hard to get in on all of them. Let's see if we can turn off
the restriction for a while, and see if the other BF animals also recover.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2018-07-17 18:41:17 | Re: buildfarm server suddenly not talking to old SSL stacks? |
Previous Message | Tom Lane | 2018-07-17 18:18:59 | Re: buildfarm server suddenly not talking to old SSL stacks? |