Bug 1934595

OpenSSL added support for setting MinProtocol version in DTLS in https://github.com/openssl/openssl/pull/12507/ 
This was released in OpenSSL version 1.1.1h.
crypto-policies needs to align with this change in OpenSSL.

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

With openssl-1:3.0.3-1.fc36.x86_64:

[root@fedora36 ~]# update-crypto-policies --show
DEFAULT
[root@fedora36 ~]# openssl req -x509 -newkey rsa:2048 -keyout /tmp/key.pem -out /tmp/cert.pem -days 365 -nodes -subj "/CN=localhost"
.......+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+......+............+...+..+.+.....+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+...+......+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.......+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+...+......+.........+..........+..+.+........+.......+.....+...+..........+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
[root@fedora36 ~]# openssl s_server -dtls -key /tmp/key.pem -cert /tmp/cert.pem

In a separate terminal:

[root@fedora36 ~]# openssl s_client -dtls1 -cipher DEFAULT@SECLEVEL=0 -CAfile /tmp/cert.pem                                                                                                                                              [60/60]
CONNECTED(00000003)
40DC81168E7F0000:error:0A00042E:SSL routines:dtls1_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_d1.c:613:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 63 bytes and written 298 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : DTLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1655463861
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---


Using DTLSv1.2 works:

[root@fedora36 ~]# openssl s_client -dtls1_2 -cipher DEFAULT@SECLEVEL=0 -CAfile /tmp/cert.pem                                                                                                                                            [30/60]
CONNECTED(00000003)
depth=0 CN = localhost
verify return:1
---
Certificate chain
 0 s:CN = localhost
   i:CN = localhost
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 17 11:03:17 2022 GMT; NotAfter: Jun 17 11:03:17 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIUAsLUqQkPzf5HN/C+2akfA4rTsSkwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIyMDYxNzExMDMxN1oXDTIzMDYx
NzExMDMxN1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA0xUpQFErfM6PMo51uOG1ZQ6QZbNsQ4Mli4XBdQW8zsVc
96qpLIijjDVf8kNB9ZUsh13BFPDOD8KRMD6fp1j+9gFk+NvgNDDTWz4B6AqZx372
fW36dgFYBpj5rT9Xd0EIMldF2Z9ZB6r4eOxDe7JbfUu96vyBdqYSAjBG4hHzEnfv
y2Tx89xvuR3a2EosHj9u17MIIpUnAfblKI1poCmqO2hIXjr+vLrkuHaoHMcNqiK+
ygyPAS3I0TPKGGQJjdu3X5Za5wWAuGorwGA3jYiUt5oF8f4PLVu9D9uCiLSaoE+u
99WnzZDqfnfQltygpr2KK5AnjhO0tmHdQ1pxf6L7QQIDAQABo1MwUTAdBgNVHQ4E
FgQU5OB8j39uZORaDs66vMh7n2eALl8wHwYDVR0jBBgwFoAU5OB8j39uZORaDs66
vMh7n2eALl8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEABkEq
JTXae6PzHgTovRXdEWCHqLx1aI/bAMTNoP79N4dachkdebPyIWBbCq66SFzV4KSw
wuDR0VwrNUc0XEUQMY4QuG4ewlXVCfupsfTM4oNCHeCTr/vngXaz5N+EOZel3V70
4/70wuoYwLwnH6xy2S8A7Z0bm4SEi0uHMyuM0L8eKvEWZP7vU7lpsmExqLz+hJGa
Vk9oDPQqqfxF5VZ69IYi6tsHHB1afG/CovxhoopcjPG3OWFgYCRvac7OuQuLAky1
ajo1ahkw3yKLxTzV/gzh2y3LI4CEIcOCuuaRsiu7n0CwWYHLmtgnrdgqN9xd8rQv
NxiqYgTjA0ANsUuoiw==
-----END CERTIFICATE-----
subject=CN = localhost
issuer=CN = localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1724 bytes and written 583 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : DTLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D2F00170E9532A59F426E50C9A149E534DF87DEC21A60C0AE41AA90EBEC1ADD1
    Session-ID-ctx:
    Master-Key: 86BEB538134EE62CB3DC55B64BB4226B16F12C150B7D194CB44957011704A912C332BF47A7C5DC77F6BD542AA9CB5EEC
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 9d 85 a0 08 42 9f b2 16-db 7c db b6 0b 47 15 f0   ....B....|...G..
    0010 - ab f0 3d 26 0d 81 94 b6-48 ba 62 d5 32 29 03 e0   ..=&....H.b.2)..
    0020 - 5b 6c 52 04 23 3f 59 ca-23 a2 cd 4b d5 25 1e a6   [lR.#?Y.#..K.%..
    0030 - 26 72 c2 11 7f ec d9 99-9f c0 31 25 ec 31 38 0b   &r........1%.18.
    0040 - 32 02 2f 15 30 54 ce dc-2e 01 e2 6e 35 f1 32 10   2./.0T.....n5.2.
    0050 - 14 72 52 4f 2d b5 aa 30-17 65 29 15 ff 56 72 fd   .rRO-..0.e)..Vr.
    0060 - 11 b6 f6 ed bd 15 a3 0b-60 fb 89 f1 1e f7 e4 9c   ........`.......
    0070 - df 6a 03 66 b4 93 53 2d-fa b4 cb cd b8 5e 5a 39   .j.f..S-.....^Z9
    0080 - b5 42 d4 9c 32 5f 8f ad-38 e1 71 79 6b 0d d5 cc   .B..2_..8.qyk...
    0090 - 19 54 9d a9 5e 91 ca 7a-f7 0b 61 7c fc 89 94 32   .T..^..z..a|...2
    00a0 - 47 b6 b5 a6 e9 1f bf f1-42 c4 a4 cc 16 ac 47 b3   G.......B.....G.

    Start Time: 1655463869
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE


That's expected:

[root@fedora36 ~]# grep DTLS /etc/crypto-policies/back-ends/opensslcnf.config
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2