Bug 1573468

Is this still an issue?  If so, can you give a specific example of SSL sites that fail?

Created attachment 1501194 [details]
Arora Browser Error

Can confirm this is still an issue, qt5 version is now 5.11.1. Issue happens on every website I could test with SSL.

Attached a screenshot of Arora Browser trying to access https://start.fedoraproject.org as an example and displaying the error

Is there any detail about what could be causing this issue? Is there anything else I can provide to help the process? I logged this back in May and it's still an issue

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Have upgraded my system to Fedora 30 and the issue still very much exists.

I still cannot reproduce, tested with arora, falkon, konqueror browsers on fresh f30 install, all load
https://start.fedoraproject.org
and a @dayjob site with a custom wildcard cert ok

I'd guess the problem here is more specific to your setup, and not a bug in general (otherwise, we'd see this problem more wide-spread).

I'll see if I can dig up how to use 'openssl s_client' to test this.

What does this say for you?

echo | openssl s_client -connect start.fedoraproject.org:443

Does it show any errors?

Of course it'd be my luck that I'm the only one with this issue lol.

Here's the output of that command. Please let me know anything else you need:


[colpanic@NATASCHA ~]$ echo | openssl s_client -connect start.fedoraproject.org:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org
verify return:1
---
Certificate chain
 0 s:C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGaDCCBVCgAwIBAgIQBgAdcIAphhlAa5cCvBVVJTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNzAyMDEwMDAwMDBaFw0yMDA1MDExMjAwMDBa
MG0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UE
BxMHUmFsZWlnaDEVMBMGA1UEChMMUmVkIEhhdCBJbmMuMRwwGgYDVQQDDBMqLmZl
ZG9yYXByb2plY3Qub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
37LQjTJywmLXo+XygC/0A4BnhIxTxVSyvDfeUefjLga9HmG+/V0E5AsRCORJJIg9
0Coe7n6GM8gZMb9zCX/FlEd3SibbNHHLN7lijd6sT75ZiRYYrcfOPvx/EFvqUOZ7
kOV65ecFR8TiI2znPHcXEXgiRQwCXUY11NH5s/2PVwORUeEr+ZPGTfqIqjD0lcqv
Ls2jNx1Lce1bNNSug2ReMXfdPm59j/dmhMdqOrSyr74JFCYwIuBHneH41YLshBml
WZE3dQGqwpKezVTFFNqT7frozhlQrvd4gXgB+3ULZynnkFfVnSMfGLZpE3zk2LAB
5rEG8cQ+Nu9VH7PjavrRZkVmmoosB0AZ5iXYdJdwc2lknA72jkajVVvljFDEfn9Y
KDdoXJlhfX4OyVzO2ab6tjt5ZY0gBGLVN2soTfXbeoCR4ErnKD9pxjqKWm9OFgLI
ETEAxS0Y+dASTYFVZOvujbELlilQp0Ixmbs2WRwHsfKzZKvR1upqzOpnqd4ljYHY
dtUA5WyTdUTSlKv3NjD3FAQw8xByHtI/Hyf7RVIRlWy/9di7CoEsOsdq4NGps+9s
I42W4sd9gFXDCQzylX5MqZlgteIlW8wG/63s0O/dJW8U6BFuAN166PH0uYXT5k4W
QED2HDoie8JQy7Y1inDBhDo+zA7eqWrZIO9/8h9D+ZUCAwEAAaOCAf8wggH7MB8G
A1UdIwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBTf0GV/3Qey
/Q4CMu7XrW3kk4OtJjAxBgNVHREEKjAoghMqLmZlZG9yYXByb2plY3Qub3JnghFm
ZWRvcmFwcm9qZWN0Lm9yZzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMHUGA1UdHwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRp
Z2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwNKAyoDCGLmh0dHA6Ly9j
cmw0LmRpZ2ljZXJ0LmNvbS9zaGEyLWhhLXNlcnZlci1nNS5jcmwwTAYDVR0gBEUw
QzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNl
cnQuY29tL0NQUzAIBgZngQwBAgIwgYMGCCsGAQUFBwEBBHcwdTAkBggrBgEFBQcw
AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tME0GCCsGAQUFBzAChkFodHRwOi8v
Y2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEySGlnaEFzc3VyYW5jZVNl
cnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBiAwx1
DjSBQoum+ZDbX57ZHWvOAtausc6oMk5j02jco8c5Cc3fZoNHrhAxmCxLdGgdWz5q
CeyWrsNl2+znX3iTUUUsjOPPjOjDDfZKkphKW7dFA0ec6tW6bZ+5BeRfjos1ZlqO
d0Yey/Hti5T3sVN5jwBGJCXyb8PxLDfi5XEccP8DMIa91EdmERyblTotMyQ8O1He
P3VNdGG7tJY53IFr5gRZ/BuQe99k+P5eQ7iHMv6K8DjR6apRY+LJ/Li0y2bwlF1x
GzQz5B4XCOHC23A+11tH1tW/LSUF0g5RaQxldVrRBn74ec9Sc1NkFsZC1bn4FYYt
DWfhteUyLpUczjDE
-----END CERTIFICATE-----
subject=C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.fedoraproject.org

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3670 bytes and written 415 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

This message is a reminder that Fedora 30 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '30'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 30 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Fedora 30 changed to end-of-life (EOL) status on 2020-05-26. Fedora 30 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Have reopened as I have finally upgraded to 32 and the problem still exists. Additionally, the problem seems to have spread now, my plasmashell keeps crashing as some part of it (maybe a widget? Not sure) is trying to access a HTTPS site, which throws the error and clicking "Details" or "Continue" causes plasmashell to crash and restart.

I tried to run Arora with sudo to see if it was a problem with my user account (maybe something in my ~ could have been the cause) but it still produced the same problem.

I think I finally had a breakthrough on this after all this time. Long standing Qt bug: https://bugzilla.redhat.com/show_bug.cgi?id=1021499.

I had a symlink /etc/ssl/certs/2c543cd1.0 -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem, this was to work around a bug with Borderlands games that couldn't get online due to their own SSL issues. However apparently having any *.0 files in this folder causes Qt to break when dealing with SSL. I've removed this symlink and the error is finally gone.

Seeing as the cause has finally been linked to an existing bug, I'm closing this one as a dupe.

*** This bug has been marked as a duplicate of bug 1021499 ***