On Tue, 14 Oct 2014 23:06:08 -0700 "T.C. Hollingsworth" tchollingsworth@gmail.com wrote:
On Tue, Oct 14, 2014 at 9:03 PM, Kevin Fenzi kevin@scrye.com wrote:
Sadly, I didn't test auth connections, and they are broken.
Seems koji hard codes SSLv3 as the one and only ssl method. ;(
We will need to get a patch for koji before we can switch it over.
I fixed connecting to a private instance with the attached patch. I was able to submit a scratch build to the Fedora koji with it applied too.
Note that it only forces TLSv1 because pyOpenSSL in F20 doesn't seem to support TLSv1.1 or TLSv1.2. :-(
-T.C.
Yeah, I attached pretty much an identical patch to:
https://bugzilla.redhat.com/show_bug.cgi?id=1152823
Dennis might have a patch he did a while back to just switch it to use pycurl.
Sadly, since this is on the client end, we will have to:
* Build updates with whatever fix we need for all branches. * Push them out and wait for them to get into the hands of maintainers. * Cut things over to disallow SSLv3 (breaking all people who didn't upgrade).
Perhaps we can figure out a way to keep SSLv3 enabled, but disable ciphers that are susceptable?
:(
kevin kevin