Bug 2219047

Summary: Can't load captive portal to connect to public WiFi
Product: [Fedora] Fedora Reporter: Sam Morris <sam>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: erack, gecko-bugs-nobody, jhorak, klaas, rstrode
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-28 13:18:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sam Morris 2023-07-01 11:22:04 UTC 
Firefox detects the URL of the captive portal, but is unable to load the URL.

https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html

I get an SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM error.

Reproducible: Always

Steps to Reproduce:
1. Go to https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html in Firefox

Actual Results:  
SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM error

Expected Results:  
Page should load

'openssl s_client -connect stagecoach.on.icomera.com:443' works fine.

The page also loads fine with chromium.

I am using the DEFAULT:DH-SIZE crypto policy. /etc/crypto-policies/modules/DH-SIZE.pmod contains:

    # https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.org/message/QWIVDHSPRM3H7W4ZOCGMVOQ2XXRSAT44/
    min_dh_size = 2047

The default min DH size is 2048, so this relaxes that requiremnt; as such it should not be related to this problem.
Comment 1 Sam Morris 2023-07-01 11:39:15 UTC 
If I change the crypto policy to simply "DEFAULT" then OpenSSL rejects the connection just like Firefox:

    $ curl 'https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html'
    curl: (35) OpenSSL/3.0.9: error:0A000172:SSL routines::wrong signature type

Setting it back to DEFAULT:DH-SIZE gets OpenSSL/curl working again.

So perhaps the problem is that Firefox/NSS don't obey the min_dh_size crypto-policies option?

    $ update-crypto-policies --show
    DEFAULT:DH-SIZE

    $ /usr/lib64/nss/unsupported-tools/tstclnt -b -D -h stagegoach.on.icomera.com
    tstclnt: read from socket failed: SSL_ERROR_UNSUPPORTED_VERSION: Peer using unsupported version of security protocol.

    $ curl -sS -I 'https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html' | head -n1
    HTTP/1.1 200 OK
Comment 2 Aoife Moloney 2024-05-28 13:18:11 UTC 
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.