Notice: We have migrated to GitLab launching 2024-05-01 see here: https://gitlab.rtems.org/

Opened on 02/06/23 at 23:09:07

Last modified on 02/13/23 at 15:36:17

#4839 accepted infra

Ensure TLS 1.3 is enabled for *.rtems.org

Reported by: Joel Sherrill Owned by: Amar Takhar
Priority: normal Milestone: Indefinite
Component: admin Version:
Severity: normal Keywords: funded project-1
Cc: Blocked By:
Blocking:

Description (last modified by Joel Sherrill)

Passing along a report from a user that their IT has blocked pages using TLS 1.2. This impacts at least the RSB downloading patches associated with RTEMS tickets.

Here is their curl verbose output in case it helps:

$ curl -vvvv https://devel.rtems.org/raw-attachment/ticket/4783/0001-checks.c-Ensure-argument-is-an-integer-v2.patch
*   Trying 140.211.10.146...
* TCP_NODELAY set
* Connected to devel.rtems.org (140.211.10.146) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, bad record mac (532):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac

Change History (8)

comment:1 Changed on 02/06/23 at 23:14:59 by Amar Takhar

Keywords: funded project-1 added
Owner: changed from Needs Funding to Amar Takhar
Status: assignedaccepted
Type: defectinfra

There is already a system update going on this will be fixed when everything is updated by default. Thanks for the report.

comment:2 Changed on 02/09/23 at 14:33:22 by Joel Sherrill

Description: modified (diff)

comment:3 in reply to:  1 Changed on 02/09/23 at 14:34:17 by Joel Sherrill

Replying to Amar Takhar:

There is already a system update going on this will be fixed when everything is updated by default. Thanks for the report.

I assumed it was something that would be caught by your updates but wanted to make sure it was reported and known. If nothing else, it gives a test case and says someone noticed. :)

comment:4 Changed on 02/10/23 at 21:56:44 by Amar Takhar

These updates happened back in 2022-05 (May). We pass with A+ from Qualsys so it must be a local error, see:

https://www.ssllabs.com/ssltest/analyze.html?d=devel.rtems.org

I'll leave this open for now but there is nothing for me to do. It's possible it's a local forced caching proxy or an injected certificate that has an older version of TLS that is causing issues. Not sure what country are they in?

comment:5 Changed on 02/10/23 at 23:13:32 by Joel Sherrill

They are in the US but at an organization with draconian IT policies. I'm sure part of this is on their side. Just no idea what.

With RTEMS.org now at TLS 1.3, there is nothing else we can do. We've asked the user to try again but it will be Monday before they can.

comment:6 Changed on 02/10/23 at 23:29:03 by Amar Takhar

This was actually disabled back in May 2022 in response to the security reports from the OSL. It was never re-enabled after the software updates because I thought it would only properly work after an OS update.

Seems at least for devel.rtems.org this is not the case I enabled TLS 1.3 and we still have an A+ rating I'll try the rest of the services as I update them in the next few days.

comment:7 Changed on 02/10/23 at 23:30:11 by Amar Takhar

Summary: TLS needs updating to 1.3 for Trac (devel.rtems.org)Ensure TLS 1.3 is enabled for *.rtems.org

comment:8 Changed on 02/13/23 at 15:36:17 by Joel Sherrill

Thanks Amar. And now it is Monday and we have feedback from the user with the "interesting" IT. Some tool patches come from devel.rtems.org and that was resolved. But when using the RSB, a tarball of rtems-tools is requested from git.rtems.org and that apparently has the same issue.

The reporter doesn't know the services are on different jails so each one has to be addressed individually. I don't know if it matters that all services have TLS 1.3 enabled but the ones the RSB fetches from need it.

It was partially successful. 

The scripts now successfully pull the patches on the devel.rtems.org web server without issue. However, it appears that the script is attempting to pull a rtems-tools bzip from the git.rtems.org server and that still fails with the same error as before. It appears that server didn't get the TLS 1.3 upgrade.

The log is attached and the curl is below:

$ curl -vvvv https://git.rtems.org/rtems-tools/snapshot/rtems-tools-6970c47c70eeb9908c0b4344a53d4f1e6f206408.tar.bz2
*   Trying 140.211.10.143...
* TCP_NODELAY set
* Connected to git.rtems.org (140.211.10.143) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* stopped the pause stream!
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
Note: See TracTickets for help on using tickets.