that is the state of OpenSSL in Fedora after this morining https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108
since OpenSSL in Fedora from now on supports ECDHE depending software needs to be rebuilt to make use of it as well as libraries like NSS/GNUTLS should do the same and depending packages like Firefox needs a rebuild against refreshed NSS to support it also on the client side i made some triage today _____________________________________________________ openssl: https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108 nss-softokn https://bugzilla.redhat.com/show_bug.cgi?id=1019244 nss https://bugzilla.redhat.com/show_bug.cgi?id=1019245 firefox https://bugzilla.redhat.com/show_bug.cgi?id=1019247 thunderbird: https://bugzilla.redhat.com/show_bug.cgi?id=1019249 httpd: https://bugzilla.redhat.com/show_bug.cgi?id=1019251 dovecot: https://bugzilla.redhat.com/show_bug.cgi?id=1019253 postfix: https://bugzilla.redhat.com/show_bug.cgi?id=1019254 openssh: https://bugzilla.redhat.com/show_bug.cgi?id=1019256 dbmail: https://bugzilla.redhat.com/show_bug.cgi?id=1019259
Commit: http://pkgs.fedoraproject.org/gitweb/?p=httpd.git;a=commitdiff;h=aa55b1c6dd6d51e5fdee1cdeca7e90fa04c66f29 Package: httpd-2.4.6-4.fc20 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=472865
the "only ECC NIST Suite B curves support" seems to cripple down openssl again with "openssl-1.0.1e-4.fc18.1" all fine over days and starting with "openssl-1.0.1e-28.fc18" a few messages like below in maillog and lead to fall back to a unecnrypted connection (yes postfix was rebuilt against the new SSL build) Oct 21 20:26:44 mail postfix/smtp[2217]: warning: TLS library problem: 2217:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 21:17:45 mail postfix/smtp[7226]: warning: TLS library problem: 7226:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 21:20:04 mail postfix/smtp[7411]: warning: TLS library problem: 7411:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 21:46:17 mail postfix/smtp[9202]: warning: TLS library problem: 9202:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 21:55:33 mail postfix/smtp[9799]: warning: TLS library problem: 9799:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 21:58:54 mail postfix/smtp[10007]: warning: TLS library problem: 10007:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 22:29:22 mail postfix/smtp[12293]: warning: TLS library problem: 12293:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
result of "only ECC NIST Suite B curves support" followed by "relay=mx00.gmx.net[213.165.67.114]:2" unencrypted Oct 21 21:55:33 mail postfix/smtp[9799]: SSL_connect error to mx00.gmx.net[213.165.67.114]:25: -1 Oct 21 21:55:33 mail postfix/smtp[9799]: warning: TLS library problem: 9799:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 21:55:33 mail postfix/smtp[9799]: warning: TLS library problem: 9799:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641: Oct 21 21:55:33 mail postfix/smtp[9799]: 3d3T9G66cmz23: Cannot start TLS: handshake failure Oct 21 21:55:33 mail postfix/smtp[9799]: Host offered STARTTLS: [mx00.gmx.net] Oct 21 22:29:22 mail postfix/smtp[12289]: SSL_connect error to mx00.gmx.net[213.165.67.99]:25: -1 Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316: Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641: Oct 21 22:29:22 mail postfix/smtp[12289]: 3d3Tvy5Cdsz23: Cannot start TLS: handshake failure
what a shame - sorry - the above two comments belongs to https://bugzilla.redhat.com/show_bug.cgi?id=1019390#c2
this bugreport is for F18, until now only for F20 are updates of httpd available in the fedora-repos while NSS for TB/Firefox now supports ECDHE https://bugzilla.redhat.com/show_bug.cgi?id=1019245#c8 http://koji.fedoraproject.org/koji/packageinfo?packageID=280
If possible, could we get a rebuild for F19 as well?
Upstream is gearing up for 2.4.7 RSN - ECC support will get picked up automagically when we do a new f19 build.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Problem is still present in Fedora 19. Upping version number to prevent the bot from closing bug. httpd-2.4.6-2.fc19.x86_64 mod_ssl-2.4.6-2.fc19.x86_64 openssl-1.0.1e-37.fc19.x86_64
this is because nobody cared to build apache 2.4.7 for F18/F19 or at least rebuild 2.4.6 - that's why i maintain my own server packages and at 2013-10-15 our F18 infrastructure started to support ECDHE as well as now after F19 upgrade httpd-2.4.7-4.fc19.20140107.rh.x86_64 mod_ssl-2.4.7-4.fc19.20140107.rh.x86_64
http://koji.fedoraproject.org/koji/packageinfo?packageID=280 2.4.7 has also a lot of other bugfixes http://httpd.apache.org/dev/dist/CHANGES_2.4.7 even the apache package of RHEL7-Beta1 supports ECDHE httpd-2.4.6-7.el7.x86_64
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
We have 2.4.10 now in all supported Fedora versions, so it should be fixed now.