Bug 1698681

Summary: mumble SSL errors.
Product: [Fedora] Fedora Reporter: Carlos O'Donell <codonell>
Component: mumbleAssignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 30CC: antonoussik, bztdlinux, chkr, fedora, j.golderer, johnhatestrash, mschmidt.mailbox, rdieter, sbroz, wfoster
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: mumble-1.2.19-14.fc30 mumble-1.2.19-14.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-22 01:40:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carlos O'Donell 2019-04-11 00:18:30 UTC
Description of problem:
Mumble fails to connect to server and reports SSL issues.

Version-Release number of selected component (if applicable):
mumble-1.2.19-12.fc30.x86_64

How reproducible:
Start mumble and try to connect to a server.

Steps to Reproduce:
1. Start mumble.
2. Pick server from list.
3. Click connect.

Actual results:

stdout shows:
OpenSSL Support: 1 (OpenSSL 1.1.1b FIPS  26 Feb 2019)
ServerHandler: TLS cipher preference is "TLS_AES_256_GCM_SHA384"

client shows:
[8:14 PM] Server connection failed: Invalid or empty cipher list (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match).

... and repeats this over and over as it tries to reconnect.

- Server does not connect.
- Clicking configure->settings causes a a SIGSEGV:

(gdb) bt
#0  0x0000555555740112 in  ()
#1  0x0000555555741b8d in  ()
#2  0x0000555555615172 in  ()
#3  0x0000555555779609 in  ()
#4  0x00007ffff649e62a in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () at /lib64/libQtCore.so.4
#5  0x00007ffff6dd7b95 in QComboBox::currentIndexChanged(int) ()
    at /lib64/libQtGui.so.4
#6  0x00007ffff6dd7c46 in  () at /lib64/libQtGui.so.4
#7  0x00007ffff6dd7f53 in  () at /lib64/libQtGui.so.4
#8  0x00007ffff6dd81c3 in QComboBox::setCurrentIndex(int) ()
    at /lib64/libQtGui.so.4
#9  0x00007ffff649e966 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () at /lib64/libQtCore.so.4
#10 0x00007ffff64e9b58 in QAbstractItemModel::rowsInserted(QModelIndex const&, int, int) () at /lib64/libQtCore.so.4
#11 0x00007ffff6482e8e in QAbstractItemModel::endInsertRows() ()
    at /lib64/libQtCore.so.4
#12 0x00007ffff6faac63 in  () at /lib64/libQtGui.so.4
#13 0x00007ffff6fab2f6 in  () at /lib64/libQtGui.so.4
#14 0x00007ffff6dd91b4 in QComboBox::insertItem(int, QIcon const&, QString const&, QVariant const&) () at /lib64/libQtGui.so.4
#15 0x0000555555614331 in  ()
--Type <RET> for more, q to quit, c to continue without paging--
#16 0x0000555555614726 in  ()
#17 0x00005555556ae771 in  ()
#18 0x000055555563e5f6 in  ()
#19 0x000055555577b2af in  ()
#20 0x000055555577b5fb in  ()
#21 0x00007ffff649e62a in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) ()
    at /lib64/libQtCore.so.4
#22 0x00007ffff69fe616 in QAction::triggered(bool) () at /lib64/libQtGui.so.4
#23 0x00007ffff69ff9bf in QAction::activate(QAction::ActionEvent) () at /lib64/libQtGui.so.4
#24 0x00007ffff6e3da0b in  () at /lib64/libQtGui.so.4
#25 0x00007ffff6e41fa1 in  () at /lib64/libQtGui.so.4
#26 0x00007ffff6a59a96 in QWidget::event(QEvent*) () at /lib64/libQtGui.so.4
#27 0x00007ffff6e454bb in QMenu::event(QEvent*) () at /lib64/libQtGui.so.4
#28 0x00007ffff6a04461 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /lib64/libQtGui.so.4
#29 0x00007ffff6a0c034 in QApplication::notify(QObject*, QEvent*) () at /lib64/libQtGui.so.4
#30 0x00007ffff648a2af in QCoreApplication::notifyInternal(QObject*, QEvent*) () at /lib64/libQtCore.so.4
#31 0x00007ffff6a0a7e5 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) () at /lib64/libQtGui.so.4
#32 0x00007ffff6a816ab in  () at /lib64/libQtGui.so.4
#33 0x00007ffff6a80159 in QApplication::x11ProcessEvent(_XEvent*) () at /lib64/libQtGui.so.4
#34 0x00007ffff6aa6fff in  () at /lib64/libQtGui.so.4
#35 0x00007ffff5caefa0 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#36 0x00007ffff5caf338 in  () at /lib64/libglib-2.0.so.0
#37 0x00007ffff5caf3e3 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#38 0x00007ffff64b8206 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /lib64/libQtCore.so.4
#39 0x00007ffff6aa719b in  () at /lib64/libQtGui.so.4
#40 0x00007ffff6488a93 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /lib64/libQtCore.so.4
#41 0x00007ffff6488dae in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib64/libQtCore.so.4
#42 0x00007ffff648e23e in QCoreApplication::exec() () at /lib64/libQtCore.so.4
#43 0x00005555555e72dc in  ()
--Type <RET> for more, q to quit, c to continue without paging--
#44 0x00007ffff5dd5f33 in __libc_start_main () at /lib64/libc.so.6
#45 0x00005555555e9c7e in  ()
(gdb) 

Expected results:
- It works and connects to server.

Comment 1 Carlos O'Donell 2019-04-11 00:22:24 UTC
Connecting to the server works (server name redacted) and seems to work.

openssl s_client -showcerts -connect xxx.xxxx.xxx:64738
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 335 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Comment 2 Rex Dieter 2019-04-12 15:31:32 UTC
Can you retest trying:

openssl s_client -cipher 'TLS_AES_256_GCM_SHA384' -connect xxx.xxxx.xxx:64738

??

Another thing to try, use update-crypto-policy to be more permissive, (as root):

update-crypto-policies --set LEGACY

(to put things back they way they were, run:
update-crypto-policies --set DEFAULT
)

and see if that helps?

Comment 3 Anton Oussik 2019-04-15 00:23:02 UTC
I too have this problem.

Entering the openssl command you suggested generates this output:

Error with command: "-cipher TLS_AES_256_GCM_SHA384"
140636483376960:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

Changing the crypto policy to LEGACY does not change the output of that command, or behaviour of mumble.

Comment 4 Anton Oussik 2019-04-15 00:30:23 UTC
Additionally, without -cipher argument I get output containing the following:

No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1559 bytes and written 467 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

Comment 5 Anton Oussik 2019-05-06 11:26:00 UTC
Building mumble 1.3-rc1 fixes this for me.

I suggest resolving this bug by bumping mumble to a more recent version.

Comment 6 Marco Schmidt 2019-05-07 04:51:40 UTC
This seems to be a problem of murmur. Since the upgrade from F29 to F30 it only offers TLS_AES_256_GCM_SHA384 as cipher and completely ignores crypto-policy settings. I've seen murmur-1.2.19-10.fc29 offering a lot more ciphers, after updating to F30 with 1.2.19-12.fc30 there's only one left (s.a.).

mumble-1.2.19-12.fc30 crashes every time I'm trying to start it, there's already another bug filed at https://bugzilla.redhat.com/show_bug.cgi?id=1706626

Sad days for mumble / murmur users on F30 :-/

Comment 7 bztdlinux 2019-05-07 16:14:56 UTC
It's not just murmur - connecting to public murmur instances also fails for me.

Comment 8 Stepan Broz 2019-05-11 22:49:44 UTC
I also have this problem, setting crypto-policies to LEGACY does not solve the issue.

Comment 9 Stepan Broz 2019-05-12 00:15:08 UTC
I wrote a patch for the SSL error that fixes my mumble issues, can anyone confirm that murmur issues are also addressed -- if there were any?

https://bugzilla.redhat.com/show_bug.cgi?id=1708925#c15

Made scratch-built packages for x86_64 (they will disappear in few days) check https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322

This build uses the patch from 1706626, and mine from 1708925 in a single .patch file. Works for me.

Comment 10 Will Foster 2019-05-16 13:47:39 UTC
Came to report I'm having the same issue, it's not possible to downgrade to the fc29 mumble without breaking libprotobuf

Comment 11 Will Foster 2019-05-16 14:02:12 UTC
(In reply to Stepan Broz from comment #9)
> I wrote a patch for the SSL error that fixes my mumble issues, can anyone
> confirm that murmur issues are also addressed -- if there were any?
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1708925#c15
> 
> Made scratch-built packages for x86_64 (they will disappear in few days)
> check https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322
> 
> This build uses the patch from 1706626, and mine from 1708925 in a single
> .patch file. Works for me.

Hey Stephan, I can confirm that I'm able to connect to servers again with your patched RPM.

However I keep getting disconnected after some short period of time.

Comment 12 Stepan Broz 2019-05-16 14:19:20 UTC
Hi, thanks for the feedback. Hopefully the package maintainer will address the issues soon.

I don't have any disconnect issues, though. Maybe that is a different/unrelated issue? Check the murmur logs, if you have access to them, and mumble client console for errors.

Comment 13 Will Foster 2019-05-16 15:13:46 UTC
(In reply to Will Foster from comment #11)
> (In reply to Stepan Broz from comment #9)
> > I wrote a patch for the SSL error that fixes my mumble issues, can anyone
> > confirm that murmur issues are also addressed -- if there were any?
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1708925#c15
> > 
> > Made scratch-built packages for x86_64 (they will disappear in few days)
> > check https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322
> > 
> > This build uses the patch from 1706626, and mine from 1708925 in a single
> > .patch file. Works for me.
> 
> Hey Stephan, I can confirm that I'm able to connect to servers again with
> your patched RPM.
> 
> However I keep getting disconnected after some short period of time.

After some further testing the disconnects were on my end, the patched RPM from Stephan work fine for me here:

https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322

Comment 14 Rex Dieter 2019-05-16 16:11:28 UTC
I can help pull in fixes into packaging today

Comment 15 Fedora Update System 2019-05-16 17:21:53 UTC
mumble-1.2.19-13.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 16 Fedora Update System 2019-05-16 17:22:57 UTC
mumble-1.2.19-13.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 17 Marco Schmidt 2019-05-16 18:35:57 UTC
Thanks for the update, it also fixes https://bugzilla.redhat.com/show_bug.cgi?id=1706626

Comment 18 Fedora Update System 2019-05-17 03:48:47 UTC
mumble-1.2.19-13.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 19 Fedora Update System 2019-05-17 15:37:57 UTC
mumble-1.2.19-13.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 20 Fedora Update System 2019-05-17 20:42:47 UTC
mumble-1.2.19-14.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 21 Fedora Update System 2019-05-17 20:43:32 UTC
mumble-1.2.19-14.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 22 Fedora Update System 2019-05-18 00:53:51 UTC
mumble-1.2.19-14.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 23 Fedora Update System 2019-05-18 04:11:13 UTC
mumble-1.2.19-14.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 24 Fedora Update System 2019-05-22 01:40:02 UTC
mumble-1.2.19-14.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2019-05-28 02:00:43 UTC
mumble-1.2.19-14.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.