The login button in koji will not work unless you configure Chrome to use your client certificate; I dunno how to do that. I read somewhere that Chrome will be dropping support for client certs, but I forget where I read it and I can't find any links to support that. On Tue, 2016-05-03 at 07:34 -0400, Neal Becker wrote: > Appears to be a deprecation in chrome 50: > https://developers.google.com/web/updates/2016/03/chrome-50-deprecati > ons?hl=en&p=ir_ssl_error&hl=en&rd=1#remove-insecure-tls-version- > fallback Nope, then you would get ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION. Insecure version fallback is for the most seriously broken of servers. The client says "I support TLS 1.2" but the server only supports an older version, say 1.0. The server is supposed to say "too bad, we will establish a TLS 1.0 connection," because min(1.0, 1.2) = 1.0, right? Instead these broken servers see 1.2, think "what on Earth is 1.2?" and terminate the connection. I'm not aware of any open source servers that have ever been affected by this; I've personally only seen it with old Microsoft IIS servers. It turns out that the link that explains the error message is wrong: https://bugs.chromium.org/p/chromium/issues/detail?id=607052 Michael P.S. Now, the koji configuration IS seriously broken, as it uses a self-signed certificate. This makes no sense, as the packager cannot trust that the server is the real koji; I have to click through the scary security warning whenever I visit koji for the first time after restarting my browser, and I don't like doing that, so I only ever access koji via plain HTTP and never HTTPS. I've heard claims that the self-signed certificate is needed for client authentication, but I don't think that's right and I know of no evidence to support this. (Fortunately, much more important for koji is to authenticate the packager's client certificate, and that seems to be working properly.) P.S.S. koji is using an absurd 8096 RSA key size. This is pointless. 2048 is the recommended key size nowadays; 4096 is considered expensive and paranoid. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
