Hide Forgot
Description of problem: Cannot connect to 3des in DEFAULT profile. Version-Release number of selected component (if applicable): # rpm -q openssl crypto-policies openssl-1.1.0e-1.fc27.x86_64 crypto-policies-20170214-2.gitf3018dd.fc26.noarch How reproducible: always Steps to Reproduce: 1. update-crypto-policies --set DEFAULT 2. (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com Actual results: Setting system policy to DEFAULT CONNECTED(00000003) 139714742982400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 268 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None Start Time: 1490860465 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- # echo $? 1 Expected results: Additional info: Testcase from http://fedoraproject.org/wiki/QA:Testcase_CryptoPolicies_Sanity
The upstream decided to disable (on build time) support for all weak ciphersuites by default. I want to follow it.