Bug 38170

Summary:

There is no supported cipher suites for archive.apache.org

Product:

Sisyphus

Reporter:

Alexey <blitzkrieg>

Component:

java-1.8.0-openjdk

Assignee:

Andrey Cherepanov <cas>

Status:

CLOSED FIXED

QA Contact:

qa-sisyphus

Severity:

normal

Priority:

CC:

cas, enp, glebfm, grenka, viy

Version:

unstable

Hardware:

x86_64

OS:

Linux

Attachments:

Description	Flags
java code to get list of available cipher suites in the system	none
Java code to check SSL socket	none

Description Alexey 2020-03-02 11:09:33 MSK

Created attachment 8643 [details]
java code to get list of available cipher suites in the system

I discovered that there is know supported cipher suites in any of Alt Linux docker container.
I use attached java code to get list of supported cipher suites.
You can compile it with javac Ciphers.java and run with java Ciphers

This is the list of available cipher suites in alt:p9
Default	Cipher
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_128_GCM_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
*	TLS_RSA_WITH_AES_256_GCM_SHA384

And this is the list of available cipher suites from Centos 7

Default	Cipher
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_128_GCM_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
*	TLS_RSA_WITH_AES_256_GCM_SHA384

This is the list of archive.apache.org server 

       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

Comment 1 Alexey 2020-03-02 11:14:00 MSK

Created attachment 8644 [details]
Java code to check SSL socket

Comment 2 obirvalger@altlinux.org 2020-03-02 16:21:34 MSK

What version of Java was used?

Comment 3 Alexey 2020-03-02 16:31:50 MSK

I don't think that this problem related to java version. I've tried lower and greater versions of java in Centos.

openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)

Comment 4 Alexey 2020-03-02 16:32:51 MSK

java-1.8.0-openjdk-1.8.0.212.b04-alt2_0jpp8.x86_64

Comment 5 obirvalger@altlinux.org 2020-03-02 16:34:08 MSK

Java was installed from our repository?

Comment 6 Alexey 2020-03-02 16:45:35 MSK

I installed it in docker container, I don't change anything in it.
docker run -it --rm alt:p9

It has this repositories enabled:

rpm [p9] http://mirror.yandex.ru/altlinux p9/branch/x86_64 classic
rpm [p9] http://mirror.yandex.ru/altlinux p9/branch/x86_64-i586 classic
rpm [p9] http://mirror.yandex.ru/altlinux p9/branch/noarch classic

Comment 7 Alexey 2020-03-13 13:10:44 MSK

Another problem occurs related to this issue. 

Could not HEAD 'http://repo.maven.apache.org/maven2/org/apache/thrift/libthrift/0.9.3/libthrift-0.9.3.pom'. Received status code 501 from server: HTTPS Required

If I change maven repo URL to https:// following error occurs:

> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Comment 8 Repository Robot 2021-02-02 15:39:23 MSK

java-1.8.0-openjdk-0:1.8.0.272.b10-alt3_0.3.eajpp8 -> sisyphus:

 Tue Feb 02 2021 Andrey Cherepanov <cas@altlinux> 0:1.8.0.272.b10-alt3_0.3.eajpp8
 - Remove crypto policy support that disable TLS1.3 (ALT #38170)