Bug 1437209
| Summary: | openssl could not use legacy ciphers in LEGACY profile | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stanislav Zidek <szidek> |
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 26 | CC: | tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-30 07:54:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
RC4 is completely disabled with OpenSSL-1.1.0 along with other weak cipher suites. I do not think we want to change this. |
Description of problem: I am not able to connect to e.g. rc4.badssl.com even if I set LEGACY profile in crypto-policies. Version-Release number of selected component (if applicable): # rpm -q openssl crypto-policies openssl-1.1.0e-1.fc26.x86_64 crypto-policies-20170214-2.gitf3018dd.fc26.noarch How reproducible: always Steps to Reproduce: 1. update-crypto-policies --set LEGACY 2. openssl s_client -connect rc4.badssl.com:443 -servername rc4.badssl.com -cipher 'PROFILE=SYSTEM' Actual results: Setting system policy to LEGACY CONNECTED(00000003) 140264570758912:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 267 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None Start Time: 1490813499 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- Expected results: Connection is negotiated.