Bug 1405959

Summary:	With FUTURE system crypto policy, connections to github, getfedora.org fail
Product:	[Fedora] Fedora	Reporter:	Tomasz Torcz <tomek>
Component:	gnutls	Assignee:	Nikos Mavrogiannopoulos <nmavrogi>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	25	CC:	nmavrogi, riehecky, tmraz
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	gnutls-3.5.8-1.fc25	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-01-10 13:21:28 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1179209

Description Tomasz Torcz 2016-12-19 10:04:48 UTC

Description of problem:
As per https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/VP6URPLIMH5XARDTBBJKBOUVNIS5OLCH/ thread, when system crypto-policy is set to FUTURE, wget fails to connect to github and fedoraproject.org:

$ update-crypto-policies --set FUTURE
Setting system policy to FUTURE

$ wget github.org
--2016-12-19 11:00:22--  http://github.org/
Resolving github.org (github.org)... 188.166.203.69
Connecting to github.org (github.org)|188.166.203.69|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com [following]
--2016-12-19 11:00:22--  https://github.com/
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
ERROR: The certificate of 'github.com' is not trusted.
ERROR: The certificate of 'github.com' was signed using an insecure algorithm.


$ wget https://fedoraproject.org
--2016-12-19 11:00:32--  https://fedoraproject.org/
Resolving fedoraproject.org (fedoraproject.org)... 2604:1580:fe00:0:dead:beef:cafe:fed1, 2605:bc80:3010:600:dead:beef:cafe:fed9, 2610:28:3090:3001:dead:beef:cafe:fed3, ...
Connecting to fedoraproject.org (fedoraproject.org)|2604:1580:fe00:0:dead:beef:cafe:fed1|:443... connected.
ERROR: The certificate of 'fedoraproject.org' is not trusted.
ERROR: The certificate of 'fedoraproject.org' was signed using an insecure algorithm.



Version-Release number of selected component (if applicable):
crypto-policies-20160921-2.git75b9b04.fc25.noarch
wget-1.18-2.fc25.x86_64
gnutls-3.5.7-3.fc25.x86_64

How reproducible:
Always

Steps to Reproduce:
1. update-crypto-policies --set FUTURE
2. wget github.org
3.

Actual results:
See above.

Expected results:
Secure connection should be established.

Additional info:

Comment 1 Nikos Mavrogiannopoulos 2016-12-19 10:24:53 UTC

Although the underlying issue is the fact that wget overwrites the system policies with its own which are more lax, the functionality issue (connection problem #1405956) can be fixed in gnutls [0]. I will include it to the next rebase of the component.

[0]. https://gitlab.com/gnutls/gnutls/merge_requests/195

Comment 2 Fedora Update System 2017-01-09 13:48:59 UTC

gnutls-3.5.8-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-88f1664dd4

Comment 3 Fedora Update System 2017-01-10 03:27:49 UTC

gnutls-3.5.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-88f1664dd4

Comment 4 Fedora Update System 2017-01-10 13:21:28 UTC

gnutls-3.5.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.