no SSL3 and TLS support for https://fedorahosted.org/

Remko van der Vossen wich at yuugen.jp
Tue Aug 17 13:15:36 UTC 2010 

Hello,


https://fedorahosted.org/releases/e/l/elfutils/0.148/elfutils-0.148.tar.bz2
does not seem to be working correctly; an attempt to download this using
wget gives:

> wget https://fedorahosted.org/releases/e/l/elfutils/0.148/elfutils-0.148.tar.bz2
--2010-08-17 15:07:29--  https://fedorahosted.org/releases/e/l/elfutils/0.148/elfutils-0.148.tar.bz2
Resolving fedorahosted.org (fedorahosted.org)... 66.135.52.17
Connecting to fedorahosted.org (fedorahosted.org)|66.135.52.17|:443... connected.
OpenSSL: error:14092073:SSL routines:SSL3_GET_SERVER_HELLO:bad packet length
Unable to establish SSL connection.

When using SSLv2 explicitly it does work:

> wget --secure-protocol=SSLv2 https://fedorahosted.org/releases/e/l/elfutils/0.148/elfutils-0.148.tar.bz2
--2010-08-17 15:08:51--  https://fedorahosted.org/releases/e/l/elfutils/0.148/elfutils-0.148.tar.bz2
Resolving fedorahosted.org (fedorahosted.org)... 66.135.52.17
Connecting to fedorahosted.org (fedorahosted.org)|66.135.52.17|:443... connected.
HTTP request sent, awaiting response... 200 OK

However wget should automatically use SSLv2 if only v2 is supported,
from the manpage:

  --secure-protocol=protocol
      Choose the secure protocol to be used.  Legal values are auto,
      SSLv2, SSLv3, and TLSv1.  If auto is used, the SSL library is
      given the liberty of choosing the appropriate protocol
      automatically, which is achieved by sending an SSLv2 greeting and
      announcing support for SSLv3 and TLSv1.  This is the default.

      Specifying SSLv2, SSLv3, or TLSv1 forces the use of the
      corresponding protocol.  This is useful when talking to old and
      buggy SSL server implementations that make it hard for OpenSSL to
      choose the correct protocol version.  Fortunately, such servers
      are quite rare.

Is it a case of a misconfigured webserver or is an update of the
software in order?

Additionally, beside the versioned subdirectories, there are direct
links to the tarballs, however it seems that the permissions are not set
correctly for these:

> wget --secure-protocol=SSLv2 https://fedorahosted.org/releases/e/l/elfutils/elfutils-0.148.tar.bz2
--2010-08-17 15:13:20--  https://fedorahosted.org/releases/e/l/elfutils/elfutils-0.148.tar.bz2
Resolving fedorahosted.org (fedorahosted.org)... 66.135.52.17
Connecting to fedorahosted.org (fedorahosted.org)|66.135.52.17|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden


Hope you are willing to look into these problems.

With kind regards,

Remko van der Vossen.

More information about the websites mailing list