Description of problem: last week, I switched cryptopolicy to FUTURE in /etc/cryptopolicy/config and promptly forgot about it. And today, while trying to update my Fedora system, i was greeted by dnf errors regarding mirror likst for rpmfusion, then fedora, with in the end the following issue: # curl 'https://mirrors.fedoraproject.org/metalink?repo=fedora-25&arch=x86_64' curl: (35) SSL version range is not valid. So using FUTURE mean that we can't update the system, and that seems a bit annoying. There is several issue here to fix: - the error message is quite puzzling on dnf side, and also on curl side. - the "FUTURE" is either not usable systemwide So should the setting be more adapted, or should something should be changed on Fedora side to use proper cipher ? Version-Release number of selected component (if applicable): crypto-policies-20160921-2.git75b9b04.fc25.noarch How reproducible: each time Steps to Reproduce: 1. set FUTURE in /etc/cryptopolicy/config 2. udate-cryptopolicy 3. run dnf update Actual results: puzzling error message Expected results: stuff should be working Additional info:
so after doing some fiddling, the issue is: tls-version-min=tls1.2 anything different from tls-version-min=tls1.0 fail. I am not sure if the issue is on curl side, or on the cryptopolicy side
It seems the issue is in curl. If I provide explicitly TLS1.2 it works: $ curl --tlsv1.2 https://www.google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> ... Otherwise: $ curl https://www.google.com curl: (35) SSL version range is not valid. It seems its code cannot cope with NSS having TLS 1.0 or TLS 1.1 disabled.
Thank you for reporting the bug! The following upstream commit will fix it: https://github.com/curl/curl/commit/curl-7_51_0-17-g5d45ced
I have also included the --tlsv1.3 option to ease future testing of TLS 1.3: http://pkgs.fedoraproject.org/cgit/rpms/curl.git/commit/?id=c38149da
Kamil could you include that fix in F25 as well? F25 is the first release with NSS supporting crypto policies.
(In reply to Nikos Mavrogiannopoulos from comment #5) > Kamil could you include that fix in F25 as well? Sure. It is already included in dist-git (master and f25 share the same commit object). I am only waiting with the f25 build till the rawhide build finishes. Otherwise both the builds would fail due to port collisions in the upstream test suite in case a pair of builds was accidentally assigned to the same build host in Koji.
curl-7.51.0-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f35ce8775
curl-7.51.0-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f35ce8775
curl-7.51.0-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.