Learn more about these different git repos.
Other Git URLs
It looks like the koji 1.16 command line client isn't working under TLS1.3 on Fedora 29.
Replication steps: 1. Set mod_ssl to only use TLS1.3 2. restart apache 3. koji moshimoshi
Results: 2019-02-06 16:13:31,138 [ERROR] koji: HTTPError: 403 Client Error: Forbidden for url: https://testhost.example.com/kojihub/ssllogin
SSL_verify_client_post_handshake:extension not received
When switching to only use TLS1.2 the problem is gone as 'SSL_verify_client_post_handshake' is a TLS1.3 extension.
My configs are pretty boring....
Just the stock Fedora 29 apache/koji-hub/koji-web. The only changes from defaults are: enable ssl auth point to my actual hostname
I set the crypto-policy to NEXT. Then I manually set the TLS version.
>>>requests.get('https://testhost.example.com/koji/login', cert=('client.crt', 'client.crt')) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/site-packages/requests/api.py", line 75, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/site-packages/requests/api.py", line 60, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 524, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 637, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 514, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='testhost.example.com', port=443): Max retries exceeded with url: /koji/login (Caused by SSLError(SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:726)'),))
This does appear to be linked to other bits of the stack[1]. I'll hop over there since this is lower in the stack.
Any chance to get a note on this behavior into the "How to setup koji hub"? I lost a few hours on this today....
[1] https://bugs.python.org/issue34670
At this point we rely pretty heavily on python-requests to do the heavy lifting for our connections. We don't get deep into the handshake, so I'd be surprised if anything we're doing is breaking TLS1.3 specifically.
We could add a note I guess, though hopefully this will be fixed soon.
Do you have a suggestion on where exactly the note should go?
@mikem Problem is, that F29 enables TLSv1.3 by default (and python's ssl lib can't handle it correctly), so as @jcpunk said, koji is not working with default configs. I would write comments to httpd configs (/kojihub/ssllogin, /koji/login).
/kojihub/ssllogin
/koji/login
1) mod_ssl protocols can be changed only on virtualserver or server level, so option must be somewhere else, than in kojihub.conf (ssl.conf works) SSLProtocol all -SSLv3 -TLSv1.3. 2) Error will not manifest under python2 client (python2 has no v1.3 support at all) if server supports other protocols 3) Error will be always present with py3 client + TLSv1.3 - ugly thing is, that apache return only 403 response, and proper error is only seen in apache log.
SSLProtocol all -SSLv3 -TLSv1.3
That all sounds good to me.
@mikem Shouldn't this (note about altering SSLProtocol) be part of docs for 1.17?
SSLProtocol
Login to comment on this ticket.