Bug 1751115

Summary: cannot connect to Windows 2012 R2
Product: [Fedora] Fedora Reporter: Pierre Ossman <ossman>
Component: crypto-policiesAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: asosedki, crypto-team, nmavrogi, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-11 14:25:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pierre Ossman 2019-09-11 08:20:11 UTC 
Description of problem:

Fedora 30's default configuration is unable to connect to Windows 2012 R2, which is needed for RDP clients using GnuTLS, i.e. rdesktop's upcoming version.

The issue is caused by an unfortunate change upstream:

https://gitlab.com/gnutls/gnutls/issues/831

It can be worked around for now though. if the default priority string includes "+SHA256". So this is a request to do just that.


Version-Release number of selected component (if applicable):

gnutls-3.6.8-1.fc30.x86_64


How reproducible:

100%


Steps to Reproduce:

$ gnutls-cli rds2012r2.example.com -p 3389


Actual results:

Server drops the connection and logs that it could not find a supported ciphersuite.


Expected results:

TLS handshake succeeds.


Additional info:

Oddly enough "openssl s_client" also fails to connect. I have not investigated if it also has gotten HMAC_SHA256 disabled, but if so then that should probably also be fixed.
Comment 1 Alexander Sosedkin 2019-09-11 08:56:26 UTC 
Correct me if I'm wrong, but aren't these scenarios specifically covered by the LEGACY policy?
Comment 2 Pierre Ossman 2019-09-11 09:13:10 UTC 
That might be intended, but LEGACY also leaves HMAC_SHA256 disabled. :)

Try this:

> $ gnutls-cli --list --priority LEGACY | grep CBC_SHA256
Comment 3 Alexander Sosedkin 2019-09-11 09:33:12 UTC 
Sorry for being unclear. I had crypto-policies LEGACY policy in mind (sudo update-crypto-policies --set LEGACY), but it seems like it doesn't cover this either.
Comment 4 Tomas Mraz 2019-09-11 10:21:40 UTC 
LEGACY policy adds things needed to support LEGACY systems - it is not intended to support marginal/weird/corner-case configurations.
Comment 5 Pierre Ossman 2019-09-11 10:23:43 UTC 
I'm seeing some more weirdness from Windows where the supported ciphersuites are changing in odd ways depending on TLS version. Let me investigate a bit more and see where I land. This might be more quirky than can be supported by default.
Comment 6 Pierre Ossman 2019-09-11 14:06:23 UTC 
And it now decided that it no longer accepts TLS 1.2...

It seems like there is something seriously broken with this specific RDS farm. So it's probably not a general issue. Sorry for the noise.

Feel free to close this. I'll comment if I find something that reasonably involves Fedora.