[opam-devel] Problem with ocaml.janestreet.com TLS cert?
Török Edwin
edwin+ml-ocaml at etorok.net
Sat Apr 18 19:54:38 BST 2015
On 04/18/2015 06:35 PM, Anil Madhavapeddy wrote:
> This is a broken `curl` command on base OSX. Try switching to wget with:
>
> export OPAMFETCH=wget
>
> CCing Yaron Minsky and Jeremie Diminio about the Jane Street setup -- this is
> likely a result of disabling SSLv3 due to the POODLE attack.
>
>> FWIW, visiting the site, Chrome complains:
I don't think this is related to the problem you're seeing with curl as curl works fine on Debian Jessie.
>>
>> "The identity of this website has been verified by VeriSign Class 3
>> Secure Server CA - G3 but does not have public audit records.
>>
>> The site is using outdated security settings that may prevent future
>> versions of Chrome from being able to safely access it."
https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
>>
>> and
>>
>> "Your connection to ocaml.janestreet.com is encrypted with obsolete
>> cryptography.
>>
>> The connection uses TLS 1.2.
>>
>> The connection is encrypted and authenticated using AES_128_GCM and
>> uses RSA as the key exchange mechanism."
>>
Probably complains about lack of ECDHE, but then Firefox does use ECHDE, and Chrome doesn't:
https://www.ssllabs.com/ssltest/analyze.html?d=ocaml.janestreet.com
Best regards,
--Edwin
More information about the opam-devel
mailing list