Hi guys,
I’ve recently tried to deploy some apps with saltstack on CentOS 6.4. I’m using saltstack bootstrap script, which installs EPEL. The problem is, that yum fails with update because it cannot reach the HTTPS repositories. When changing to HTTP, it starts working. You can see a detailed discussion about it here: https://github.com/saltstack/salt-bootstrap/issues/474#issuecomment-62449575
What can I do about that?
Regards,
Przemysław Hejman
On Wed, 12 Nov 2014 10:02:37 +0100 Przemysław Hejman przemyslaw.hejman@gmail.com wrote:
Hi guys,
I’ve recently tried to deploy some apps with saltstack on CentOS 6.4. I’m using saltstack bootstrap script, which installs EPEL. The problem is, that yum fails with update because it cannot reach the HTTPS repositories. When changing to HTTP, it starts working. You can see a detailed discussion about it here: https://github.com/saltstack/salt-bootstrap/issues/474#issuecomment-62449575
What can I do about that?
The problem is that the fedora project has disabled SSLv3 (after it was found to be insecure). As part of that, mirrors.fedoraproject.org also no longer works for clients that can't negotiate better than SSLv3.
CentOS/RHEL 6.6 works fine.
I think 6.5 works fine with all nss* package updates applied.
I don't have any idea about 6.4. Are there pending nss* updates for you?
Would it be possible for you to update to 6.6 or 6.5?
kevin
13.11.2014, 0.37, Kevin Fenzi kirjoitti:
The problem is that the fedora project has disabled SSLv3 (after it was found to be insecure). As part of that, mirrors.fedoraproject.org also no longer works for clients that can't negotiate better than SSLv3.
CentOS/RHEL 6.6 works fine.
I think 6.5 works fine with all nss* package updates applied.
I don't have any idea about 6.4. Are there pending nss* updates for you?
I believe the problem is not really SSLv3, but that the Fedora Project uses 4096 bit keys, which the old nss can't handle. I was unable to locate any other web server that used 4096 bit keys when I was diagnosing the issue back then, so I was unable to confirm my theory.
CentOS 6.4 without any updates does not work, but works with C6.4's nss and nspr update. nss-3.14.3-4.el6_4 is the oldest version that works. CentOS 6.5 and later will of course work as well.
To fix the problem: yum update --disablerepo=epel*
If your nss is too old to handle Fedora's certificates, it means you haven't run "yum update" for more than a year and you are missing a large bunch of important CentOS updates.
On Thu, 13 Nov 2014 01:37:13 +0200 Anssi Johansson epel@miuku.net wrote:
I believe the problem is not really SSLv3, but that the Fedora Project uses 4096 bit keys, which the old nss can't handle. I was unable to locate any other web server that used 4096 bit keys when I was diagnosing the issue back then, so I was unable to confirm my theory.
Well, we changed certs in April after heartbleed. I would expect if that broke things we would have seen it before now.
CentOS 6.4 without any updates does not work, but works with C6.4's nss and nspr update. nss-3.14.3-4.el6_4 is the oldest version that works. CentOS 6.5 and later will of course work as well.
To fix the problem: yum update --disablerepo=epel*
If your nss is too old to handle Fedora's certificates, it means you haven't run "yum update" for more than a year and you are missing a large bunch of important CentOS updates.
Yeah.
kevin
epel-devel@lists.fedoraproject.org
-
Anssi Johansson -
Kevin Fenzi -
Przemysław Hejman