Bug 2099355
| Summary: | Firefox fails Secure Connection Failed - SSL_ERROR_NO_CYPHER_OVERLAP | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | cs <csynt8bit> |
| Component: | nss | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 36 | CC: | crypto-team, elio.maldonado.batiz, erack, gecko-bugs-nobody, jhorak, kai-engert-fedora, klaas, pjasicek, rrelyea, rstrode, sandmann, stransky |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-11-01 15:09:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Moving to NSS to get attention of NSS folks. OK Firefox 91.0.0esr works on RHEL-8 with nss-3.79. I'm currently working under the assumption that this is an NSS+policy issue as the upstream nightlies (which also have nss-3.79, but which does not itegrate with crypto-policies) was also reported working. on RHEL-9, we fail with vfyserv and not firefox, so this again verifies it's not firefox specific: # vfyserv -c www.shellenergy.co.uk Connecting to host www.shellenergy.co.uk (addr 63.35.200.91) on port 443 Error in function PR_Write: -12286 - Cannot communicate securely with peer: no common encryption algorithm(s). Setting crypto-policies to LEGACY allows connectivity: # update-crypto-policies --set LEGACY Setting system policy to LEGACY Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. # !vfy vfyserv -c www.shellenergy.co.uk Connecting to host www.shellenergy.co.uk (addr 34.242.82.39) on port 443 Cert file cert.000 was created. Cert file cert.001 was created. Cert file cert.002 was created. Cert file cert.003 was created. Handshake Complete: SERVER CONFIGURED CORRECTLY bulk cipher AES-128-GCM, 128 secret key bits, 128 key bits, status: 1 subject DN: CN=*.shellenergy.co.uk issuer DN: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, Inc.",L=Scottsdale,ST=Arizona,C=US 0 cache hits; 0 cache misses, 0 cache not reusable ***** Connection 1 read 234 bytes total. OK, this is a server error. NSS is removing the SHA-1 sigalgs because SHA-1 is turned off by policy. The server evidently requires only the sha-1 sigalgs. Fedora has turn off SHA-1 by policy, so you can't connect to that server with the Fedora policy. The older versions of NSS should have failed later, when the server tried to sign the Ephemeral ECC key with the sigalg (unless the server ignored that signalg and used some other hash, in which case there's definitely a bug in the server. Setting crypto-policies to DEFAULT:SHA1 will enable these sites again: update-crypto-policies --set DEFAULT:SHA1 |
Description of problem: ---------- Firefox fails to open the site www.shellenergy.co.uk : Secure Connection Failed An error occurred during a connection to www.shellenergy.co.uk. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem. ---------- Version-Release number of selected component (if applicable): 101.0.1 x86_64 How reproducible: Always Steps to Reproduce: 1. Open https://www.shellenergy.co.uk/ Actual results: The error mentioned above Expected results: The site to load normally as supposed to be. Additional info: Note that site is working propery using the Mozilla's standalone version (same version nr) To be 100% sure about the bug I also tried on a fresh install of Fedora 36 (virtual box), so definitely this has nothing to do with my browser profile/user-settings. The same bug exists on this site as "Bug 2043653" (closed due to EOL Fedora version)