Thanks so much for the reply....

On Sat, Sep 10, 2016 at 2:14 AM, Christian Hammond <christ...@beanbaginc.com
> wrote:

> Hi Eric,
>
> RBTools itself isn't handling SSL/TLS, and has no awareness of the various
> protocols/ciphers. We use Python's urllib2 to establish the connections,
> and that's going through the ssl module. I don't have a good answer on next
> steps here, but it's not an issue that'll be specific to RBTools or will
> involve our codebase, most likely.
>

At least as far as "rbt" is concerned, a "verbose" option, or a
"debug" option might be useful. For example, when rbt is using ssl, what
version of OPENSSL is getting invoked?

In any case, I did get a bunch further with this. I failed to note a
critical piece of information in my original post - I'm running on a Mac
(10.11.X).

There seem to be three scenarios:

   - Install ReviewBoard from the RBTools.pkg
   - Install ReviewBoard using easy_install or pip.
   - Install ReviewBoard from a package manager (MacPorts)

The three different scenarios play out as follows:

Install from RBTools.pkg - this installs an "rbt" shell item in
/usr/local/bin, puts RBTools in the site-packages folder for the
OS-installed versions of Python (2.6 & 2.7) and puts a shebang (#!) line at
the beginning that binds to one of the OS installed versions (2.6, for me).
These installs do not pick up alternate versions of installed software,
such as MacPorts or HomeBrew.

Install from easy_install - installs rbt to the OS's version of Python.
Again, ignores MacPorts & HomeBrew. When I installed via pip, this didn't
create a shell "rbt" install in my MacPorts "bin" folder (/opt/local/bin).

Currently MacPorts is behind by a few versions (0.4.3).

Unfortunately, when the install binds to one of the OS versions of Python,
it ends up using the OS provided version of OpenSSL. According to one of my
co-workers, Apple is no longer supporting openssl, so it won't be
progressing past 0.9.8. That version of openssl is stuck at TLS 1 support.

Conclusions:

   - This seems to be an Apple bug - anything that installs and uses the OS
   available versions of Python will be hamstrung to using an older and less
   secure version of the "ssl" package, due to its implementation calling out
   to older branches of openssl.
   - This could possibly be an RBTools install issue - would be nice if the
   installer could detect alternate Pythons on the machine (HomeBrew /
   MacPorts), and install with those versions of Python rather than the system
   packages
   - Possibly a problem with the pip install? When I did the pip install,
   that did not generate an "rbt" shell script in the right place. Obviously,
   I can make my own script to call it, but still annoying.
   - This could possibly be an issue with MacPorts - perhaps I can submit a
   package to update RBTools MacPorts implementation.

Annoying and complicated issue. Thanks for your response.

Eric.


>
> Christian
>
>
> On Friday, September 9, 2016, eric via reviewboard <
> reviewboard@googlegroups.com> wrote:
>
>> Some follow-on information.
>>
>> I grabbed my Apache configuration for the server from
>> https://mozilla.github.io/server-side-tls/ssl-config-generator/
>> Initially, I tried the "Modern" configuration.
>>
>> When I switch to the "Intermediate" configuration, it starts working.
>>
>> I updated my logging on the server to track which protocol & cipher are
>> being used, and I see this when I connect from the browser:
>>
>> TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
>>
>> (That's good)
>>
>>
>> ... but I see this if I run "rbt setup-repo" or "rbt post"
>>
>> TLSv1 DHE-RSA-AES128-SHA
>>
>>
>> Why is it that rbt uses the older protocol & cipher? I've been advised to
>> go run wireshark, and maybe that will provide more insight.
>>
>>
>> Eric.
>>
>>
>>
>> On Friday, September 9, 2016 at 10:02:28 AM UTC-7, er...@tibco.com wrote:
>>>
>>> The specific, full message is this:
>>>
>>> ERROR: Could not reach the Review Board server at ________________: SSL:
>>> SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)
>>>
>>>
>>> This is not a self-signed certificate. My web browsers all work fine
>>> when I connect to the site. When I do this:
>>>
>>>
>>> > python
>>>
>>> > import ssl
>>>
>>> > ssl.OPENSSL_VERSION
>>>
>>> >>> 'OpenSSL 1.0.2h  3 May 2016'
>>>
>>>
>>> I'm sort of at a loss for how to troubleshoot this. I turn on all the
>>> debugging and logging I can on the server, and I'm not seeing any
>>> additional information.
>>>
>>>
>>> It doesn't look like rbt setup-repo takes any "verbose" options that
>>> will clarify the problem.
>>>
>>>
>>> Suggestions?
>>>
>>>
>>> Thanks!
>>>
>>>
>>> Eric.
>>>
>> --
>> Supercharge your Review Board with Power Pack:
>> https://www.reviewboard.org/powerpack/
>> Want us to host Review Board for you? Check out RBCommons:
>> https://rbcommons.com/
>> Happy user? Let us know! https://www.reviewboard.org/users/
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "reviewboard" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to reviewboard+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> --
> Christian Hammond
> President/CEO of Beanbag <https://www.beanbaginc.com/>
> Makers of Review Board <https://www.reviewboard.org/>
>
> --
> Supercharge your Review Board with Power Pack:
> https://www.reviewboard.org/powerpack/
> Want us to host Review Board for you? Check out RBCommons:
> https://rbcommons.com/
> Happy user? Let us know! https://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "reviewboard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/reviewboard/jzZnhAxxnFs/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> reviewboard+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to