On Tue, 14 Oct 2014 23:06:08 -0700 "T.C. Hollingsworth" <tchollingsworth@xxxxxxxxx> wrote: > On Tue, Oct 14, 2014 at 9:03 PM, Kevin Fenzi <kevin@xxxxxxxxx> wrote: > > Sadly, I didn't test auth connections, and they are broken. > > > > Seems koji hard codes SSLv3 as the one and only ssl method. ;( > > > > We will need to get a patch for koji before we can switch it over. > > I fixed connecting to a private instance with the attached patch. I > was able to submit a scratch build to the Fedora koji with it applied > too. > > Note that it only forces TLSv1 because pyOpenSSL in F20 doesn't seem > to support TLSv1.1 or TLSv1.2. :-( > > -T.C. Yeah, I attached pretty much an identical patch to: https://bugzilla.redhat.com/show_bug.cgi?id=1152823 Dennis might have a patch he did a while back to just switch it to use pycurl. Sadly, since this is on the client end, we will have to: * Build updates with whatever fix we need for all branches. * Push them out and wait for them to get into the hands of maintainers. * Cut things over to disallow SSLv3 (breaking all people who didn't upgrade). Perhaps we can figure out a way to keep SSLv3 enabled, but disable ciphers that are susceptable? :( kevin kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
