|Summary:||Visiting www.3dcenter.org results in SSL_ERROR_DECODE_ERROR_ALERT|
|Product:||[Fedora] Fedora||Reporter:||Martin Wolf <mwolf>|
|Component:||crypto-policies||Assignee:||Red Hat Crypto Team <crypto-team>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||30||CC:||0xalen+redhat, anto.trande, b37a, crypto-team, dueno, elio.maldonado.batiz, gecko-bugs-nobody, hkario, jhorak, john.j5live, kdudka, kengert, lef, nmavrogi, pjasicek, redhat-bugzilla, rhughes, richard.shadbolt, rstrode, sandmann, tmraz|
|Fixed In Version:||crypto-policies-20190527-1.git0b3add8.fc30 crypto-policies-20190527-1.git0b3add8.fc29||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2019-06-12 00:45:46 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Martin Wolf 2019-05-24 19:36:20 UTC
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Install latest firefox from fedora repo ( firefox-67.0-3.fc30 ) 2.open firefox and go to https://www.3dcenter.org/ Actual results: SSL_ERROR_DECODE_ERROR_ALERT Expected results: page loading Additional info: The website works with chromium-vaapi and the firefox downloaded from mozilla.org so there has to be something in this build. Also I have tested it in safemode to test without addons.
Comment 1 Martin Wolf 2019-05-25 00:41:31 UTC
I did a bit of testing and found out that it is not firefox causing the problem but NSS. I reverted to nss-3.43.0-1.fc30.i686 nss-3.43.0-1.fc30.x86_64 nss-sysinit-3.43.0-1.fc30.x86_64 nss-tools-3.43.0-1.fc30.x86_64 and now I can access www.3dcenter.org again. Doing a distro-sync back to nss 3.44 makes the website inaccessible with the error described in my first post. Sorry for the confusion.
Comment 2 Daiki Ueno 2019-05-25 05:53:30 UTC
Thank you for the report. For some reason the server sends the alert if NSS doesn't include x25519 in the supported_groups extension. If you modify /etc/crypto-policies/back-ends/nss.config and add "CURVE25519" after the "allow=" clause, it should work: config="disallow=ALL allow=CURVE25519:HMAC-SHA256:..." I am not sure why this causes the difference, but perhaps because in that case the the key_share extension becomes longer than the server can handle.
Comment 3 Martin Wolf 2019-05-25 17:04:17 UTC
that works indeed. what now?
Comment 4 Daiki Ueno 2019-05-26 04:53:40 UTC
Comment 5 Tomas Mraz 2019-05-27 11:50:32 UTC
I am going to apply this patch of course, but it would still be interesting to know why the decode error alert is sent. Is that rather a server-side problem or nss is doing something wrong? There is also bug 1713416 which is probably a duplicate.
Comment 6 Martin Wolf 2019-05-27 12:25:18 UTC
I'm in contact with the site owner and they also have no clue why this happens, since they dont even utilize this curve. according to ssllabs.com they use SECP384R1
Comment 7 Fedora Update System 2019-05-27 13:02:56 UTC
crypto-policies-20190527-1.git0b3add8.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d
Comment 8 Fedora Update System 2019-05-27 13:03:00 UTC
crypto-policies-20190527-1.git0b3add8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8
Comment 9 Hubert Kario 2019-05-27 16:21:54 UTC
While there is a bug in crypto-policies: X25519 should not be disabled in DEFAULT policy, the interoperability issue is caused by a bug in server, which most likely is using LibreSSL. I was able to reproduce it using local build of LibreSSL so I've filed https://github.com/libressl-portable/portable/issues/531 upstream.
Comment 10 Fedora Update System 2019-05-28 02:28:00 UTC
crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d
Comment 11 Fedora Update System 2019-05-28 03:50:09 UTC
crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8
Comment 12 Daiki Ueno 2019-05-28 07:57:12 UTC
*** Bug 1713416 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2019-06-12 00:45:46 UTC
crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2019-06-12 02:05:01 UTC
crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Shadders 2019-06-13 12:34:33 UTC
Hi, For Fedora 29 obtaining the following as of yesterday : ======================================= Skipping packages with conflicts: (add '--best --allowerasing' to command line to force their upgrade): crypto-policies noarch 20190527-1.git0b3add8.fc29 updates 51 k ======================================== Using the --best and --allowerasing obtained the following : ======================================== (try to add '--skip-broken' to skip uninstallable packages) ======================================== Did not capture the issue of reporting that conflict with other libraries. Today : ======================================== Problem: package crypto-policies-20190527-1.git0b3add8.fc29.noarch conflicts with libreswan < 3.28 provided by libreswan-3.27-1.fc29.x86_64 - cannot install the best update candidate for package libreswan-3.27-1.fc29.x86_64 - cannot install the best update candidate for package crypto-policies-20190211-2.gite3eacfc.fc29.noarch ========================================= Regards, Shadders.
Comment 16 Tomas Mraz 2019-06-13 12:50:13 UTC
Please just enable the testing repository temporarily. There is libreswan update there that should resolve this conflict.
Comment 17 Shadders 2019-06-13 13:02:43 UTC
Hi, Thanks. I am a novice, so will await the stable repository update, rather than tinker with the PC. Regards, Shadders.
Comment 18 Tomas Mraz 2019-06-13 14:13:54 UTC
You can just use dnf --enablerepo=updates-testing update crypto-policies And then you will be able to do normal dnf update to update the rest of the system without a problem. Or of course you can wait with the updates until the libreswan update makes it into stable.