Bug 2219047

Summary: Can't load captive portal to connect to public WiFi
Product: [Fedora] Fedora Reporter: Sam Morris <sam>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 38CC: erack, gecko-bugs-nobody, jhorak, klaas, rstrode
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
URL: https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sam Morris 2023-07-01 11:22:04 UTC 
Firefox detects the URL of the captive portal, but is unable to load the URL.

https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html

I get an SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM error.

Reproducible: Always

Steps to Reproduce:
1. Go to https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html in Firefox

Actual Results:  
SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM error

Expected Results:  
Page should load

'openssl s_client -connect stagecoach.on.icomera.com:443' works fine.

The page also loads fine with chromium.

I am using the DEFAULT:DH-SIZE crypto policy. /etc/crypto-policies/modules/DH-SIZE.pmod contains:

    # https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.org/message/QWIVDHSPRM3H7W4ZOCGMVOQ2XXRSAT44/
    min_dh_size = 2047

The default min DH size is 2048, so this relaxes that requiremnt; as such it should not be related to this problem.
Comment 1 Sam Morris 2023-07-01 11:39:15 UTC 
If I change the crypto policy to simply "DEFAULT" then OpenSSL rejects the connection just like Firefox:

    $ curl 'https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html'
    curl: (35) OpenSSL/3.0.9: error:0A000172:SSL routines::wrong signature type

Setting it back to DEFAULT:DH-SIZE gets OpenSSL/curl working again.

So perhaps the problem is that Firefox/NSS don't obey the min_dh_size crypto-policies option?

    $ update-crypto-policies --show
    DEFAULT:DH-SIZE

    $ /usr/lib64/nss/unsupported-tools/tstclnt -b -D -h stagegoach.on.icomera.com
    tstclnt: read from socket failed: SSL_ERROR_UNSUPPORTED_VERSION: Peer using unsupported version of security protocol.

    $ curl -sS -I 'https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html' | head -n1
    HTTP/1.1 200 OK