1437363 – openssl could not use 3des in DEFULT profile

Bug 1437363 - openssl could not use 3des in DEFULT profile

Summary: openssl could not use 3des in DEFULT profile

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssl
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-03-30 08:05 UTC by Lukáš Zachar
Modified:	2017-03-30 08:25 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-30 08:25:03 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lukáš Zachar 2017-03-30 08:05:58 UTC

Description of problem:

Cannot connect to 3des in DEFAULT profile.


Version-Release number of selected component (if applicable):
# rpm -q openssl crypto-policies
openssl-1.1.0e-1.fc27.x86_64
crypto-policies-20170214-2.gitf3018dd.fc26.noarch

How reproducible:
always

Steps to Reproduce:
1. update-crypto-policies --set DEFAULT
2. (sleep 5; echo -e "GET / HTTP/1.1\n\n") |openssl s_client -connect 3des.badssl.com:443 -servername 3des.badssl.com


Actual results:
Setting system policy to DEFAULT
CONNECTED(00000003)
139714742982400:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1385:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 268 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    Start Time: 1490860465
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
# echo $?
1


Expected results:


Additional info:
Testcase from http://fedoraproject.org/wiki/QA:Testcase_CryptoPolicies_Sanity

Comment 1 Tomas Mraz 2017-03-30 08:25:03 UTC

The upstream decided to disable (on build time) support for all weak ciphersuites by default. I want to follow it.

Note You need to log in before you can comment on or make changes to this bug.