Issue649

Title Intermittent SSL signature issues
Priority critical Status in-progress
Superseder Nosy List berker.peksag, gregory.p.smith, mmangoba, ncoghlan, ned.deily, r.david.murray
Assigned To mmangoba Topics

Created on 2018-03-25.11:43:51 by ncoghlan, last changed 2018-04-01.22:43:28 by mmangoba.

Messages
msg3430 (view) Author: ncoghlan Date: 2018-03-25.11:43:51
When accessing the bug tracker, Firefox intermittently reports SEC_ERROR_BAD_SIGNATURE. While a refresh usually fixes the problem, this suggests to me that something isn't quite right with the current host configuration.

(Perhaps this issue will be rendered obsolete by Maciej Szulik's efforts to rehost b.p.o on OpenShift?)
msg3431 (view) Author: ned.deily Date: 2018-03-26.02:40:30
Probably the same issue during that time period: a random subset of our GitHub webhook requests, triggered by changes to the python/cpython repo on GitHub, failed with "SSL connect failure".  Retrying them manually hours later from the GitHub admin interface, they all succeeded.  But failures like this caused havoc with our bugs.python.org / GitHub integration and overall python-dev workflows.  I haven't seen any failures since but there hasn't been a lot of activity either.

I did try using an online certificate checking tool (https://cryptoreport.websecurity.symantec.com/checker/) on https://bugs.python.org and found that the checker failed intermittently with "SSL certificate is not installed" error.

I also noticed on the Server Configuration info displayed by the symantec tool when it succeeds that apparently bugs.python.org currently has an out-of-date and insecure of SSL/TLS libs installed.  The report says that b.p.o only support TLS1.0 (and TLS 1.1 or 1.2) and is vulnerable to the BEAST and TLS renegotiation attacks.  It also says that the b.p.o server reports itself as "BaseHTTP/0.3 Python/2.6.6"!  If the migration of b.p.o to a more modern server is not going to happen imminently, perhaps the version of OpenSSL (or whatever) should be updated on the old server?
msg3432 (view) Author: ned.deily Date: 2018-03-26.02:50:12
I added a comment and to this issue on the PSF infrastructure issue tracker.  There has been a similar open issue for several months there.

https://github.com/python/psf-infra-meta/issues/4
msg3433 (view) Author: gregory.p.smith Date: 2018-03-26.04:09:37
I was running into bad signature/hash errors sporadically today on bugs.python.org as well.
msg3434 (view) Author: mmangoba Date: 2018-03-26.04:40:20
I'm considering putting bugs behind Fastly for now that can potentially resolve this issue.
msg3435 (view) Author: berker.peksag Date: 2018-03-26.09:56:04
We may need to set custom rules for caching if we serve bugs.p.o behind Fastly since data needs to be fresh all the time. Otherwise, we would need to purge cache everytime we touch an issue.
msg3436 (view) Author: mmangoba Date: 2018-03-27.06:23:02
@berker.peksag you bring up a really good point.  I was taking a look at:  https://docs.fastly.com/guides/tutorials/cache-control-tutorial#backend-http-headers we have some cache control here - https://docs.fastly.com/guides/tutorials/cache-control-tutorial#do-not-cache.

I think putting bugs behind Fastly too, we will benefit from its security features, such as the DDoS mitigation, etc.  I'm going to run a few tests and see if this solution fits.
msg3440 (view) Author: mmangoba Date: 2018-04-01.22:43:16
Fastly is uploading our new cert this upcoming Wednesday update; i'll work with Fastly to optimize the cache control.
History
Date User Action Args
2018-04-01 22:43:28mmangobasetstatus: chatting -> in-progress
2018-04-01 22:43:17mmangobasetmessages: + msg3440
2018-03-27 06:23:03mmangobasetmessages: + msg3436
2018-03-26 09:56:04berker.peksagsetnosy: + berker.peksag
messages: + msg3435
2018-03-26 04:40:38mmangobasetassignedto: mmangoba
2018-03-26 04:40:20mmangobasetnosy: + mmangoba
messages: + msg3434
2018-03-26 04:09:38gregory.p.smithsetnosy: + gregory.p.smith
messages: + msg3433
2018-03-26 02:59:32ezio.melottisetnosy: + r.david.murray
2018-03-26 02:50:12ned.deilysetmessages: + msg3432
2018-03-26 02:40:31ned.deilysetstatus: unread -> chatting
nosy: + ned.deily
messages: + msg3431
2018-03-25 11:43:52ncoghlancreate