Bug 1437363
| Summary: | openssl could not use 3des in DEFULT profile | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukáš Zachar <lzachar> |
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-30 08:25:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The upstream decided to disable (on build time) support for all weak ciphersuites by default. I want to follow it. |
Description of problem: Cannot connect to 3des in DEFAULT profile. Version-Release number of selected component (if applicable): # rpm -q openssl crypto-policies openssl-1.1.0e-1.fc27.x86_64 crypto-policies-20170214-2.gitf3018dd.fc26.noarch How reproducible: always Steps to Reproduce: 1. update-crypto-policies --set DEFAULT 2. (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com Actual results: Setting system policy to DEFAULT CONNECTED(00000003) 139714742982400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 268 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None Start Time: 1490860465 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- # echo $? 1 Expected results: Additional info: Testcase from http://fedoraproject.org/wiki/QA:Testcase_CryptoPolicies_Sanity