Curl has dropped rc4 support by default.
It causes arcanist problems for latest curl versions.
See the discussion at http://sourceforge.net/p/curl/bugs/1323/#1816
Details
Details
- Reviewers
epriestley - Group Reviewers
Blessed Reviewers
- Use arcanist (for example command: arc list)
- Make sure there are no problems with https-connection
Diff Detail
Diff Detail
- Repository
- rPHU libphutil
- Branch
- fix-curl-issue
- Lint
Lint Passed - Unit
Tests Passed - Build Status
Buildable 61 Build 61: [Placeholder Plan] Wait for 30 Seconds
Event Timeline
Comment Actions
@epriestley, please, check it.
I'm no expert in curl.
This fix works fine for me.
I think that at least someone else should check it with:
arc patch D8855
Comment Actions
This is not correct. It will prevent use of any ciphers except RC4-SHA.
The cipher list on secure.phabricator.com is:
ssl_ciphers RC4-SHA:RC4-MD5:+HIGH:!aNULL::!kEDH;
I intended this to mean: "RC4-SHA", "RC4-MD5", and all ciphers in the "HIGH" suite.
My expectation is that if a client is unable to connect to secure.phabricator.com because it can not negotiate a cipher, that should mean that it has disabled RC4-SHA, RC4-MD5, and all of the HIGH ciphers. I believe it's reasonable to refuse connections from these clients, since I don't know why a client would do this.
It's possible I've misconfigured secure.phabricator.com. Particularly, this fails, when I would expect it to work:
$ curl --ciphers HIGH https://secure.phabricator.com/ curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
It's also possible I have compiled OpenSSL or nginx incorrectly when responding to Heartbleed, so this may have worked before April 9 but stopped working when we changed nginx and openssl binaries to versions built from source.
It's also possible that the list of ciphers in HIGH is very small, and there are reasonably no overlapping ciphers in the client and server flavors of HIGH, even though both are configured correctly.
In any case, this needs to be resolved by fixing the configuration or build for secure.phabricator.com.
I probably don't have time to do this any time soon. Here are some questions I don't currently know the answers to:
- Is the nginx configuration correct?
- How do I check which ciphers are in HIGH in curl on the client?
- How do I check which ciphers are in HIGH in nginx on the server?
- Is HIGH expected to have a reasonable set of ciphers in it, or is HIGH not a reasonable configuration?
Comment Actions
I changed the ssl_ciphers directive to this:
ssl_ciphers RC4-SHA:RC4-MD5:HIGH:!aNULL:!kEDH;
I am now able to connect with --ciphers HIGH:
$ curl --ciphers HIGH https://secure.phabricator.com/ <!DOCTYPE html><html><head><meta charset="UTF-8" /><title>Phabricator</title> ...
Can you try from your machine (without this patch)?
The command:
$ openssl ciphers 'some:cipher:string:here'...can be used to materialize a cipher specification. The "+" operator does not behave like I believed it did.
Comment Actions
Cool! This causes no problems now:
$ git checkout master Switched to branch 'master' Your branch is up-to-date with 'origin/master'. $ arc list * Needs Revision D8855: rc4 support for latest curl versions
arc list works fine without this patch.
So everything is OK :)
Comment Actions
Okay, cool. Thanks for digging into this, the old configuration was definitely not correct.