Bug 2430274
| Summary: | netcat TLS support is broken with https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile (it ultimately depends on openssl X509_get_default_cert_file) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | netcat | Assignee: | Robert Scheck <redhat-bugzilla> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | fkrenzel, redhat-bugzilla |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | netcat-1.237-3.fc43 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-02-07 00:57:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Is there a specific reason why you use OpenBSD netcat instead of Nmap Ncat? Especially Red Hat favors Nmap Ncat since 10+ years (and refused any nc alternative in RHEL over the same time frame). No idea. I didn't write the postfix test suite. FEDORA-2026-f7dee4d8de (netcat-1.237-3.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-f7dee4d8de I'm not sure that's really a fix? I think it'll just result in there being no trusted certs, so all TLS operations will still fail? After reading https://git.causal.agency/libretls/about/#Compatibility I think this is a fix. If you still disagree, patch proposals are welcome. Ah, yeah, if this just puts LibreTLS back to default behaviour and its default is to follow OpenSSL's defaults, that should work indeed. I guess we'll find out next time the postfix test suite runs... FEDORA-2026-f7dee4d8de has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-f7dee4d8de` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-f7dee4d8de See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Hmm, looks like now we get: :: [ 20:30:08 ] :: [ BEGIN ] :: Starting netcat :: actually running 'nc -l 1125 -c mockserver.sh &' nc: tls configuration failed (private/public key mismatch) https://artifacts.dev.testing-farm.io/0728b162-650a-4293-a6fd-54f239c99eb9/ not sure if that's a test suite issue or nc issue... FEDORA-2026-f7dee4d8de (netcat-1.237-3.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report. |
I noticed the postfix package tests are failing. It seems like it may be because netcat's TLS support is broken: :: [ 22:10:36 ] :: [ BEGIN ] :: Starting netcat :: actually running 'nc -l 1125 -c mockserver.sh &' nc: failed to open CA file '/etc/pki/tls/cert.pem': No such file or directory Tracing this out, netcat does this: Rflag = tls_default_ca_cert_file(); ... if (usetls) { if ((tls_cfg = tls_config_new()) == NULL) errx(1, "unable to allocate TLS config"); if (Rflag && tls_config_set_ca_file(tls_cfg, Rflag) == -1) errx(1, "%s", tls_config_error(tls_cfg)); See https://github.com/openbsd/src/blob/28304016fe9353c375bc53e9b3d5bb67585d6a2a/usr.bin/nc/netcat.c#L172 and https://github.com/openbsd/src/blob/28304016fe9353c375bc53e9b3d5bb67585d6a2a/usr.bin/nc/netcat.c#L521 . tls_default_ca_cert_file is from libretls, but it's just this: tls_default_ca_cert_file(void) { return X509_get_default_cert_file(); } X509_get_default_cert_file is from OpenSSL, and on Fedora it returns /etc/pki/tls/cert.pem , which doesn't exist. This is because since https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile we intentionally don't *have* a default "cert file" for OpenSSL, we have a default cert *directory*. OpenSSL can work with either, but netcat via libretls is assuming there will always be a cert file.