Bug 1321015 - openssl policy enables a cipher, ECDHE-RSA-AES256-SHA, in the HTTP/2.0 blacklist
Summary: openssl policy enables a cipher, ECDHE-RSA-AES256-SHA, in the HTTP/2.0 blacklist
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nikos Mavrogiannopoulos
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-24 13:26 UTC by Rob Crittenden
Modified: 2016-03-31 12:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-31 12:41:17 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rob Crittenden 2016-03-24 13:26:13 UTC 
Description of problem:

The openSSL crypto policy enables ECDHE-RSA-AES256-SHA which is in the RFC 7540 blacklist for HTTP/2.0.

Apache reports:

[Wed Mar 23 18:15:47.249784 2016] [http2:debug] [pid 13037] h2_h2.c(514): [client 192.168.0.1:44332] h2_h2(1): tls cipher ECDHE-RSA-AES256-SHA blacklisted by rfc7540

Version-Release number of selected component (if applicable):

crypto-policies-20151104-1.gitf1cba5f.fc23

Steps to Reproduce:
1. systemctl start httpd.service
2. curl -k --http2 https://localhost/

Actual results:

curl: (16) HTTP/2 stream 1 was not closed cleanly: error_code = 8

Expected results:

Display of root page
Comment 1 Nikos Mavrogiannopoulos 2016-03-31 07:07:47 UTC 
The crypto policies don't really follow any protocol's recommendation. There is nothing insecure about ECDHE-RSA-AES256-SHA, so it will not be disabled by the crypto policies. It is up to the HTTP/2.0 applications to get specific on which ciphersuites they enable. Nevertheless, the RFC7540 "Cipher Suite Black List" section looks like out of place and shouldn't have been specified at all.
Comment 2 Rob Crittenden 2016-03-31 12:41:17 UTC 
Ok. The error message out of Apache is clear enough to understand what to do.
Note You need to log in before you can comment on or make changes to this bug.