Description of problem: Starting with 1.7.2-1.el7, ZNC will not negotiate SSL/TLS sessions in either IRC or web mode. This has been tested with Let's Encrypt certs; I do not have other certs to test with. ZNC was working with the certs prior to the update. Version-Release number of selected component (if applicable): 1.7.2-1.el7 How reproducible: Simply start or restart ZNC. znc -D shows the actual error; starting it normally via systemctl does not. Actual results: Sample output from "znc -D" [2019-02-14 15:40:10.178267] Connecting user/network [drkbish/ArchiveIRC] [2019-02-14 15:40:10.178457] TDNS: initiating resolving of [irc.editingarchive.com] and bindhost [] [2019-02-14 15:40:10.181035] TDNS: IRC::drkbish::ArchiveIRC, connecting to [159.203.149.241] using bindhost [] [2019-02-14 15:40:10.187280] src/Csocket.cpp:1607 Could not assign cipher [PROFILE=SYSTEM] [2019-02-14 15:40:10.187962] IRC::drkbish::ArchiveIRC == SockError(115 Operation now in progress) The one IRC server I do not connect to via SSL does connect normally. Incoming connections to ZNC (either irc or https) do not work. On HexChat, the error is: --- Connection failed. Error: SSL handshake timed out Expected results: The bouncer should connect to IRC servers and allow incoming connections normally. Additional info: certbot was updated as well, but none of my other services using Let's Encrypt certificates (Apache, Postfix, and Dovecot) are experiencing issues, even after a restart.
I've got the same issue with a self-signed cert: [2019-02-14 09:35:27.594127] src/Csocket.cpp:1607 Could not assign cipher [PROFILE=SYSTEM]
Interesting; this does not appear to be an issue on F29, or at least my F29 server appears to be functioning fine without issues (or I wouldn't have pushed the update). I do not have an EL7 server to test.
It appears to be an issue with the system crypto policies patch. Can you please test https://koji.fedoraproject.org/koji/taskinfo?taskID=32811323 and see if it fixes it? You can download the builds at the bottom of that page.
Works for me. Thanks!
Confirmed - the given builds correct the issue and connections appear to be working properly.
znc-1.7.2-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3a504782e9
Please give https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3a504782e9 karma in bodhi so that I can get it pushed to stable ASAP.
znc-1.7.2-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-3a504782e9
(In reply to Nick Bebout from comment #3) > It appears to be an issue with the system crypto policies patch. Can you > please test https://koji.fedoraproject.org/koji/taskinfo?taskID=32811323 and > see if it fixes it? You can download the builds at the bottom of that page. RHEL 7 was forked from Fedora 19, while the system-wide crypto policies were introduced in Fedora 21. Thus, RHEL 7 simply does not have this feature yet, meaning PROFILE=SYSTEM is meaningless to the system OpenSSL library. RHEL 8 on the other hand does ship it, see https://access.redhat.com/articles/3666211 . I can also confirm znc-1.7.2-2.el7 fixes the issue for me.
znc-1.7.2-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1677930 has been marked as a duplicate of this bug. ***