> Yeah, that part is super weird. Do we know if that worked before? Or has it > been using https for a while?
It looks like I installed Perl https support on that machine on 2017-01-14, so I'd guess dromedary has been using https since then.
So it could be something else. I have no idea what it would be though, since port 80 seems to work from elsewhere.
>> I can probably restore these machines to functionality by updating >> whichever Perl module knows about TLS (anyone know which that is?), >> so if you want to undo the config change, it's OK by me. But other >> owners of ancient buildfarm critters might be less happy about it.
> I think what you'd need is a new version of openssl.
Yeah, I'd just come to that conclusion after researching things a bit (although it looks like IO::Socket:SSL has some relevant fixes too). > But it might be hard to get in on all of them. Let's see if we can turn off > the restriction for a while, and see if the other BF animals also recover.
The bigger issue here is that if we force buildfarm members to run openssl >= x.y, I'd say that's tantamount to desupporting openssl < x.y. Are we ready to desupport versions that don't have TLS 1.2? I think that might well be reasonable to do in HEAD, but I'm less enthused about it for the back branches.
Yeah, that's definitely a bigger problem.
We could always use http for those and not https. But surely that's *worse* than using a https that's considered insecure. Completely skipping it must be worse... And I don't think separating out the site into "submissions can do 1.0 but viewers can only do 1.2+" is reasonable, not given that the only things that actually passes credentials *are* the submissions.