Bug 1713777
Summary: | Visiting www.3dcenter.org results in SSL_ERROR_DECODE_ERROR_ALERT | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Wolf <mwolf> |
Component: | crypto-policies | Assignee: | Red Hat Crypto Team <crypto-team> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 30 | CC: | 0xalen+redhat, anto.trande, b37a, crypto-team, dueno, elio.maldonado.batiz, gecko-bugs-nobody, hkario, jhorak, john.j5live, kdudka, kengert, lef, nmavrogi, pjasicek, redhat-bugzilla, rhughes, richard.shadbolt, rstrode, sandmann, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | crypto-policies-20190527-1.git0b3add8.fc30 crypto-policies-20190527-1.git0b3add8.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-12 00:45:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Wolf
2019-05-24 19:36:20 UTC
I did a bit of testing and found out that it is not firefox causing the problem but NSS. I reverted to nss-3.43.0-1.fc30.i686 nss-3.43.0-1.fc30.x86_64 nss-sysinit-3.43.0-1.fc30.x86_64 nss-tools-3.43.0-1.fc30.x86_64 and now I can access www.3dcenter.org again. Doing a distro-sync back to nss 3.44 makes the website inaccessible with the error described in my first post. Sorry for the confusion. Thank you for the report. For some reason the server sends the alert if NSS doesn't include x25519 in the supported_groups extension. If you modify /etc/crypto-policies/back-ends/nss.config and add "CURVE25519" after the "allow=" clause, it should work: config="disallow=ALL allow=CURVE25519:HMAC-SHA256:..." I am not sure why this causes the difference, but perhaps because in that case the the key_share extension becomes longer than the server can handle. that works indeed. what now? I am going to apply this patch of course, but it would still be interesting to know why the decode error alert is sent. Is that rather a server-side problem or nss is doing something wrong? There is also bug 1713416 which is probably a duplicate. I'm in contact with the site owner and they also have no clue why this happens, since they dont even utilize this curve. according to ssllabs.com they use SECP384R1 crypto-policies-20190527-1.git0b3add8.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d crypto-policies-20190527-1.git0b3add8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8 While there is a bug in crypto-policies: X25519 should not be disabled in DEFAULT policy, the interoperability issue is caused by a bug in server, which most likely is using LibreSSL. I was able to reproduce it using local build of LibreSSL so I've filed https://github.com/libressl-portable/portable/issues/531 upstream. crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8 *** Bug 1713416 has been marked as a duplicate of this bug. *** crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. Hi, For Fedora 29 obtaining the following as of yesterday : ======================================= Skipping packages with conflicts: (add '--best --allowerasing' to command line to force their upgrade): crypto-policies noarch 20190527-1.git0b3add8.fc29 updates 51 k ======================================== Using the --best and --allowerasing obtained the following : ======================================== (try to add '--skip-broken' to skip uninstallable packages) ======================================== Did not capture the issue of reporting that conflict with other libraries. Today : ======================================== Problem: package crypto-policies-20190527-1.git0b3add8.fc29.noarch conflicts with libreswan < 3.28 provided by libreswan-3.27-1.fc29.x86_64 - cannot install the best update candidate for package libreswan-3.27-1.fc29.x86_64 - cannot install the best update candidate for package crypto-policies-20190211-2.gite3eacfc.fc29.noarch ========================================= Regards, Shadders. Please just enable the testing repository temporarily. There is libreswan update there that should resolve this conflict. Hi, Thanks. I am a novice, so will await the stable repository update, rather than tinker with the PC. Regards, Shadders. You can just use dnf --enablerepo=updates-testing update crypto-policies And then you will be able to do normal dnf update to update the rest of the system without a problem. Or of course you can wait with the updates until the libreswan update makes it into stable. |