On 7/31/19 4:34 PM, Kevin Fenzi wrote:
On 7/31/19 12:05 PM, Nicolas Mailhot via devel wrote:
And, just to provide another data point, we tried this month to make
the network install iso talk to https dnf repos (a reposync of fedora
devel x86_64, without x86 packages, because we don't have the storage
budget to mirror 32 bit packages we don't have the use for them
anyway). The repos themselves worked fine from installed systems. But,
anaconda refused to use them, till they were re-exposed in plain un-
secured http.
Any errors? Bug filed? as long as the certs were valid/normal certs,
there should not be any reason that wouldn't work I wouldn't think.
My guess would be a protocol version or cipher suite negotiation
failure, presumably because the HTTPS end points use newer
configurations that exclude old versions and ciphers. Hopefully Nicholas
will find the real reason.
BTW, the new crypto systems like wireguard are eschewing crypto
negotiation: if the current protocols are determined to be lacking, the
plan is to push a new version and force everyone to upgrade.
It's pretty harsh from the operational point of view, but they have a
point: if the crypto is vulnerable, it should not be possible to force a
downgrade on connections you care about, and you can still run the old
protocol specifically for endpoints which you cannot upgrade.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
