Bug 1449605

Summary: libvncclient sets +SRP in priority string when SRP is not supported by Fedora GnuTLS
Product: [Fedora] Fedora Reporter: Christopher Ng <facboy>
Component: libvncserverAssignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 25CC: ppisar, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: libvncserver-0.9.11-2.fc25.1 libvncserver-0.9.11-2.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-26 04:03:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Christopher Ng 2017-05-10 11:03:39 UTC
Description of problem:
This patch (http://pkgs.fedoraproject.org/cgit/rpms/libvncserver.git/tree/LibVNCServer-0.9.10-system-crypto-policy.patch) changes the TLS priority string but it leaves in +SRP which is not supported by Fedora's version of GnuTLS.  GnuTLS rejects the priority string and the connection fails.

Version-Release number of selected component (if applicable):
0.9.10, 0.9.11

How reproducible:
Always.

Steps to Reproduce:
1. Start a TigerVNCServer with x509vnc enabled
2. Try to connect using Remmina as client (which uses libvncserver's client)

Actual results:
Remmina fails with an authentication failed error, but looking through the debug output of Remmina and GnuTLS shows that the priority string is wrong:

Remmina:

[VNC]VNC server supports protocol version 3.8 (viewer 3.8)
[VNC]We have 1 security types to read
[VNC]0) Received security type 19
[VNC]Selecting security type 19 (0/1 in the list)
[VNC]Selected Security Scheme 19
[VNC]GnuTLS initialized.
[VNC]Got VeNCrypt version 0.2 from server.
[VNC]We have 1 security types to read
[VNC]0) Received security type 261
[VNC]Selecting security type 261 (0/1 in the list)
[VNC]No client certificate or key provided.
[VNC]No CRL provided.
[VNC]TLS session initialized.
[VNC]TLS handshake failed: No or insufficient priorities were set..

GNUTLS_DEBUG_LEVEL=99:
gnutls[3]: ASSERT: extensions.c[_gnutls_get_extension]:65
gnutls[3]: ASSERT: extensions.c[_gnutls_get_extension]:65
gnutls[3]: ASSERT: mpi.c[_gnutls_x509_read_uint]:246
gnutls[5]: REC[0x7fc83805c530]: Allocating epoch #0
gnutls[2]: system priority /etc/crypto-policies/back-ends/gnutls.config has not changed
gnutls[2]: resolved 'SYSTEM' to 'NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW', next ''
gnutls[2]: selected priority string: NONE:+AEAD:+SHA1:+SHA256:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+3DES-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+DHE-DSS:+PSK:+DHE-PSK:+ECDHE-PSK:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW:+SRP
gnutls[3]: ASSERT: priority.c[gnutls_priority_set_direct]:1497
gnutls[3]: ASSERT: handshake.c[gnutls_handshake]:2577
gnutls[5]: REC[0x7fc83805c530]: Start of epoch cleanup
gnutls[5]: REC[0x7fc83805c530]: End of epoch cleanup
gnutls[5]: REC[0x7fc83805c530]: Epoch #0 freed

Expected results:
Remmina should connect successfully.

Additional info:

Comment 1 Christopher Ng 2017-05-10 11:04:16 UTC
afaik it looks like this would affect 26 and rawhide as well.

Comment 2 Fedora Update System 2017-05-16 16:53:48 UTC
libvncserver-0.9.11-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6125002d79

Comment 3 Fedora Update System 2017-05-16 16:55:37 UTC
libvncserver-0.9.11-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0e08170fd3

Comment 4 Fedora Update System 2017-05-16 16:57:46 UTC
libvncserver-0.9.11-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-dd5d2381e4

Comment 5 Fedora Update System 2017-05-17 19:07:49 UTC
libvncserver-0.9.11-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6125002d79

Comment 6 Fedora Update System 2017-05-17 23:07:24 UTC
libvncserver-0.9.11-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-dd5d2381e4

Comment 7 Fedora Update System 2017-05-17 23:12:12 UTC
libvncserver-0.9.11-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0e08170fd3

Comment 8 Fedora Update System 2017-05-18 13:09:31 UTC
libvncserver-0.9.11-2.fc25.1 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-0e08170fd3

Comment 9 Fedora Update System 2017-05-18 13:10:04 UTC
libvncserver-0.9.11-2.fc24.1 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-dd5d2381e4

Comment 10 Fedora Update System 2017-05-18 23:30:15 UTC
libvncserver-0.9.11-2.fc24.1 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-dd5d2381e4

Comment 11 Fedora Update System 2017-05-18 23:34:47 UTC
libvncserver-0.9.11-2.fc25.1 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-0e08170fd3

Comment 12 Christopher Ng 2017-05-19 16:52:36 UTC
Test case works for me now with libvncserver-0.9.11-2.fc25.1 and remmina-plugins-vnc-1.2.0-0.34.20170424git2c0a77e.fc25.x86_64.rpm from Fedora 25 testing repository.

Comment 13 Fedora Update System 2017-05-26 03:54:54 UTC
libvncserver-0.9.11-2.fc24.1 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2017-05-26 04:03:36 UTC
libvncserver-0.9.11-2.fc25.1 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2017-06-03 17:38:31 UTC
libvncserver-0.9.11-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.