New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
please reenable support for older SSL #1967
Comments
@ranguard is this part of the Fastly config? |
Enable TLS 1.2 in your browser options and it will work
All other options are no longer supported (and you will soon find this on lots of sites - as the older versions will not be PCI compliant soon)
Leo
… On 30 Aug 2017, at 15:47, Olaf Alders ***@***.***> wrote:
@ranguard is this part of the Fastly config?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Any chance you could deprecate this gracefully with a warning notice? For a while Opera ASA automatically disabled TLS 1.2 on auto-update (don't remember the reason, probably because it was too early for it to work gracefully). Having TLS 1.0 work with a warning would allow people to notice and fix this. |
Also, you might wanna address the other domains as well for consistency: https://observatory.mozilla.org/analyze.html?host=fastapi.metacpan.org#tls |
haarg just told me you can choose to use the configuration fastapi has for the main domain still, so a graceful deprecation can be done. |
To prevent guesswork of what i mean with graceful deprecation: I'd be happy to provide a patch that adds a ribbon at the top of the site for Opera users at v12 and below, with the following text. If necessary i'll also add JS to hide it and set a cookie to keep it hidden. "We're switching off TLS 1.0 and 1.1 on date XYZ, enable TLS 1.2 in your settings by then." |
TLS 1.2 is shortly going to become the only option many many sites support. So the issue here is with Opera (which should enable 1.2 by default) and the updates (which should also enable or at least not disable 1.2), not with our site. Please open an issue with them. Further explanation of why it is not worth our time to do this: All our traffic goes through Fastly (our CDN) and to make things secure/compliant they are in the process of depreciating anything other than TLS 1.2: https://www.fastly.com/blog/phase-two-our-tls-10-and-11-deprecation-plan We have dropped support for anything other than TLS 1.2 for quite a while (I'm trying to get confirmation of when that happened, but I think it was as part of the April change over). Our plan was if there were lots of complaints we'd do a rollback and build a depreciation screen to display. We had no one complain at this point so did no further work. There were 167 Opera users identified with the Opera browser in the last 30 days, and I'm assuming some of those are the It would be non-trivial for us to add any messaging: we would have to switch to the Fastly legacy system (their main system will not do SSL for anything other than TLS1.2) and then change Fastly configuration to identify the TLS connection used and serve a instruction page on how to enable TLS 1.2 (we could not just add a banner as we have caching in place which this would not work with) - and for a couple of hundred users that's not worth my time - Sorry. |
No you did not. This change is very recent. I was browsing metacpan just fine a few days ago on Opera v12.
Your mention of a reskin implies you know that asking Opera to do anything with Opera v12 is fruitless because they've thrown that code base away, cloned chrome with a custom skin and were bought by a chinese malware company after firing all their browser developers. So i don't understand why you even suggest that. Also, haarg checked the traffic in greater detail: 17:26 (haarg) Mithaldu: there are a handful of people accessing the site using old opera
You're going about this the wrong way. The way you proposed is indeed onerous. However all you need is a handful of lines of Javascript, which i am happy to provide. I'm fairly sure adding a bit of JS would not affect your caching, right? There was more discussion about this on IRC and even mst agrees it is reasonable. Please go and have a read of the #metacpan logs. |
IRC log on whether something one my end might've changed. Feel free to ask if you have more guesses:
|
I'm on holiday and hadn't followed IRC, thanks for the thread. I have just confirmed with Fastly, the change happened on the 8th of Aug 2017 for metacpan.org (because of which certificate we are on), so confirmed this it our end. There is a path we could go down for short term (that will end in June 2018) and we can get a VCL variable of which tls version was used so can write configs based on this. There is no point doing this in Javascript for a few Opera users (we would still have to do certificate changes with Fastly and update our DNS). There would be a point if we get lots of other reports from many different users. IF we get many other reports then I'll consider doing the work. As a side note, I went through this process at work, with paying customers (I think that's why I was thinking of April) and the only issues reported were a few very old iOS safari users. |
Thanks for confirming it's not on my end.
Human psychology will not allow this to become a reality, regardless of what the facts of the issue are. We discussed this fact on IRC also, but at this point i don't care to explain this anymore. I give up. |
If someone wants to pay for this work I will do it, but my OS time is limited and there are other things I want to spend it on. |
TLS 1.0 has been deprecated for years. TLS 1.2 is almost ten years old. @wchristian, there's a cost to supporting old/unmaintained/deprecated software and protocols, you didn't give any indication why you thought that cost would be smaller than the cost for you to use a supported/updated browser. |
@abh I did not give any indication for thinking the cost of "support the old stuff" is lower because, as indicated by the comments in the issue, i moved my position from "support the old stuff" to "provide graceful deprecation via notices to users". |
I'm using Opera v12.18, the last version Opera ASA released before switching to a reskin of chrome and proclaiming that the new Opera, and refusing to do further work on v12.
With that browser the metacpan server currently refuses to do SSL: "Handshake failed because the server does not want to accept the enabled SSL/TLS protocol versions."
The settings i see available for SSL are as follows. Can you please add one of them back to the config?
The text was updated successfully, but these errors were encountered: