This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1019251 - ECDHE: now supported in Fedora's OpenSSL
ECDHE: now supported in Fedora's OpenSSL
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: httpd (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jan Kaluža
Fedora Extras Quality Assurance
:
Depends On:
Blocks: ecc
  Show dependency treegraph
 
Reported: 2013-10-15 07:20 EDT by Harald Reindl
Modified: 2014-08-20 07:39 EDT (History)
7 users (show)

See Also:
Fixed In Version: httpd-2.4.6-4.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-20 07:39:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harald Reindl 2013-10-15 07:20:08 EDT
that is the state of OpenSSL in Fedora after this morining
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108
Comment 1 Harald Reindl 2013-10-15 07:31:35 EDT
since OpenSSL in Fedora from now on supports ECDHE
depending software needs to be rebuilt to make use
of it as well as libraries like NSS/GNUTLS should
do the same and depending packages like Firefox
needs a rebuild against refreshed NSS to support 
it also on the client side

i made some triage today
_____________________________________________________

openssl:
https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108

nss-softokn
https://bugzilla.redhat.com/show_bug.cgi?id=1019244

nss
https://bugzilla.redhat.com/show_bug.cgi?id=1019245

firefox
https://bugzilla.redhat.com/show_bug.cgi?id=1019247

thunderbird:
https://bugzilla.redhat.com/show_bug.cgi?id=1019249

httpd:
https://bugzilla.redhat.com/show_bug.cgi?id=1019251

dovecot:
https://bugzilla.redhat.com/show_bug.cgi?id=1019253

postfix:
https://bugzilla.redhat.com/show_bug.cgi?id=1019254

openssh:
https://bugzilla.redhat.com/show_bug.cgi?id=1019256

dbmail:
https://bugzilla.redhat.com/show_bug.cgi?id=1019259
Comment 3 Harald Reindl 2013-10-21 17:14:56 EDT
the "only ECC NIST Suite B curves support" seems to cripple down openssl again
with "openssl-1.0.1e-4.fc18.1" all fine over days and starting with "openssl-1.0.1e-28.fc18" a few messages like below in maillog and lead to fall back to a unecnrypted connection (yes postfix was rebuilt against the new SSL build)

Oct 21 20:26:44 mail postfix/smtp[2217]: warning: TLS library problem: 2217:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 21:17:45 mail postfix/smtp[7226]: warning: TLS library problem: 7226:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 21:20:04 mail postfix/smtp[7411]: warning: TLS library problem: 7411:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 21:46:17 mail postfix/smtp[9202]: warning: TLS library problem: 9202:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 21:55:33 mail postfix/smtp[9799]: warning: TLS library problem: 9799:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 21:58:54 mail postfix/smtp[10007]: warning: TLS library problem: 10007:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 22:29:22 mail postfix/smtp[12293]: warning: TLS library problem: 12293:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Comment 4 Harald Reindl 2013-10-21 17:19:12 EDT
result of "only ECC NIST Suite B curves support" followed by "relay=mx00.gmx.net[213.165.67.114]:2" unencrypted

Oct 21 21:55:33 mail postfix/smtp[9799]: SSL_connect error to mx00.gmx.net[213.165.67.114]:25: -1
Oct 21 21:55:33 mail postfix/smtp[9799]: warning: TLS library problem: 9799:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 21:55:33 mail postfix/smtp[9799]: warning: TLS library problem: 9799:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641:
Oct 21 21:55:33 mail postfix/smtp[9799]: 3d3T9G66cmz23: Cannot start TLS: handshake failure
Oct 21 21:55:33 mail postfix/smtp[9799]: Host offered STARTTLS: [mx00.gmx.net]


Oct 21 22:29:22 mail postfix/smtp[12289]: SSL_connect error to mx00.gmx.net[213.165.67.99]:25: -1
Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
Oct 21 22:29:22 mail postfix/smtp[12289]: warning: TLS library problem: 12289:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641:
Oct 21 22:29:22 mail postfix/smtp[12289]: 3d3Tvy5Cdsz23: Cannot start TLS: handshake failure
Comment 5 Harald Reindl 2013-10-21 17:36:57 EDT
what a shame - sorry - the above two comments belongs to 
https://bugzilla.redhat.com/show_bug.cgi?id=1019390#c2
Comment 6 Harald Reindl 2013-10-31 15:07:19 EDT
this bugreport is for F18, until now only for F20 are updates of httpd available in the fedora-repos while NSS for TB/Firefox now supports ECDHE

https://bugzilla.redhat.com/show_bug.cgi?id=1019245#c8
http://koji.fedoraproject.org/koji/packageinfo?packageID=280
Comment 7 Scott Shambarger 2013-11-15 10:30:14 EST
If possible, could we get a rebuild for F19 as well?
Comment 8 Joe Orton 2013-11-18 07:15:12 EST
Upstream is gearing up for 2.4.7 RSN - ECC support will get picked up automagically when we do a new f19 build.
Comment 9 Fedora End Of Life 2013-12-21 10:48:14 EST
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 10 Hubert Kario 2014-01-21 12:11:31 EST
Problem is still present in Fedora 19. Upping version number to prevent the bot from closing bug.

httpd-2.4.6-2.fc19.x86_64
mod_ssl-2.4.6-2.fc19.x86_64
openssl-1.0.1e-37.fc19.x86_64
Comment 11 Harald Reindl 2014-01-21 12:19:47 EST
this is because nobody cared to build apache 2.4.7 for F18/F19 or 
at least rebuild 2.4.6 - that's why i maintain my own server 
packages and at 2013-10-15 our F18 infrastructure started to
support ECDHE as well as now after F19 upgrade

httpd-2.4.7-4.fc19.20140107.rh.x86_64
mod_ssl-2.4.7-4.fc19.20140107.rh.x86_64
Comment 12 Harald Reindl 2014-01-21 12:25:13 EST
http://koji.fedoraproject.org/koji/packageinfo?packageID=280

2.4.7 has also a lot of other bugfixes
http://httpd.apache.org/dev/dist/CHANGES_2.4.7

even the apache package of RHEL7-Beta1 supports ECDHE
httpd-2.4.6-7.el7.x86_64
Comment 13 Fedora Admin XMLRPC Client 2014-06-30 05:53:45 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Jan Kaluža 2014-08-20 07:39:49 EDT
We have 2.4.10 now in all supported Fedora versions, so it should be fixed now.

Note You need to log in before you can comment on or make changes to this bug.