1549096 – FF and TB can't connect to several sites due to SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY error

Bug 1549096 - FF and TB can't connect to several sites due to SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY error

Summary: FF and TB can't connect to several sites due to SSL_ERROR_WEAK_SERVER_EPHEMER...

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	crypto-policies
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nikos Mavrogiannopoulos
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1548016 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-26 11:50 UTC by Vít Ondruch
Modified:	2018-02-26 15:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2018-02-26 15:58:57 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1534532	0	unspecified	CLOSED	Strong crypto settings	2021-02-22 00:41:40 UTC

Internal Links: 1534532

Description Vít Ondruch 2018-02-26 11:50:48 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Vít Ondruch 2018-02-26 11:56:18 UTC

Sorry, somehow hit enter too early :/

Nevertheless, this is a bit blind shot, since I really don't know what might be the root cause of my issues. But since I updated my Rawhide last week, I have issues connecting to some sites using FF due to errors like:

~~~
An error occurred during a connection to ****.com. Při komunikaci protokolem SSL byl v inicializační zprávě typu Server Key Exchange obdržen slabý klíč typu Diffie-Hellman. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
~~~

I have similar issues connecting my TB to the mail server [1]. I have not updated neither FF nor TB, so it must be something else. Any idea what it could be? I can provide you list of updated libraries if that helps.



$ rpm -q ca-certificates 
ca-certificates-2018.2.22-2.fc28.noarch


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1548016

Comment 2 Vít Ondruch 2018-02-26 11:58:50 UTC

Actually, this might be crypto-policies, which were updated as well:

$ rpm -q crypto-policies
crypto-policies-20180112-1.git386e3fe.fc28.noarch

Comment 3 Nikos Mavrogiannopoulos 2018-02-26 15:23:35 UTC

https://fedoraproject.org/wiki/Changes/StrongCryptoSettings

Comment 4 Nikos Mavrogiannopoulos 2018-02-26 15:25:00 UTC

Thank you for reporting that. Could you please move that issue to the tracking bug of the change? We are already aware of the fact that some internal (usually) sites fail to work with the new rule, but it is good to have it explicit.

#1534532

Comment 5 Vít Ondruch 2018-02-26 15:29:25 UTC

(In reply to Nikos Mavrogiannopoulos from comment #4)
> Could you please move that issue to the
> tracking bug of the change?

Sorry, I am not sure what do you mean by this. Should I comment there and close this one or should I just block the tracking bug by this one?

Comment 6 Vít Ondruch 2018-02-26 15:31:03 UTC

BTW if you can send a short note to fedora-devel that this change landed and it might cause some issues, it could save some time to Rawhide users.

Also, for FF and TB, there is workaround. In about:config change every "dhe" option to "False", although it works for some sites but breaks others.

Comment 7 Vít Ondruch 2018-02-26 15:34:41 UTC

*** Bug 1548016 has been marked as a duplicate of this bug. ***

Comment 8 Nikos Mavrogiannopoulos 2018-02-26 15:39:28 UTC

Yes, please close that one and report the issue (+the sites affected) in #1534532. I've just sent a fedora-devel update on that.

Comment 9 Vít Ondruch 2018-02-26 15:58:57 UTC

Closing this in favor of bug 1534532

Note You need to log in before you can comment on or make changes to this bug.