Bug 1713777 - Visiting www.3dcenter.org results in SSL_ERROR_DECODE_ERROR_ALERT
Summary: Visiting www.3dcenter.org results in SSL_ERROR_DECODE_ERROR_ALERT
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: crypto-policies
Version: 30
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Red Hat Crypto Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1713416 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-24 19:36 UTC by Martin Wolf
Modified: 2019-06-13 14:13 UTC (History)
21 users (show)

Fixed In Version: crypto-policies-20190527-1.git0b3add8.fc30 crypto-policies-20190527-1.git0b3add8.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-12 00:45:46 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github libressl-portable portable issues 531 0 None None None 2019-05-27 16:22:12 UTC

Description Martin Wolf 2019-05-24 19:36:20 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1.Install latest firefox from fedora repo ( firefox-67.0-3.fc30 )
2.open firefox and go to https://www.3dcenter.org/

Actual results: SSL_ERROR_DECODE_ERROR_ALERT 


Expected results: page loading


Additional info:
The website works with chromium-vaapi and the firefox downloaded from mozilla.org so there has to be something in this build. Also I have tested it in safemode to test without addons.

Comment 1 Martin Wolf 2019-05-25 00:41:31 UTC
I did a bit of testing and found out that it is not firefox causing the problem but NSS.
I reverted to    nss-3.43.0-1.fc30.i686                      nss-3.43.0-1.fc30.x86_64                      nss-sysinit-3.43.0-1.fc30.x86_64                      nss-tools-3.43.0-1.fc30.x86_64                     
and now I can access www.3dcenter.org again.
Doing a distro-sync back to nss 3.44 makes the website inaccessible with the error described in my first post.
Sorry for the confusion.

Comment 2 Daiki Ueno 2019-05-25 05:53:30 UTC
Thank you for the report. For some reason the server sends the alert if NSS doesn't include x25519 in the supported_groups extension. If you modify /etc/crypto-policies/back-ends/nss.config and add "CURVE25519" after the "allow=" clause, it should work:

config="disallow=ALL allow=CURVE25519:HMAC-SHA256:..."

I am not sure why this causes the difference, but perhaps because in that case the the key_share extension becomes longer than the server can handle.

Comment 3 Martin Wolf 2019-05-25 17:04:17 UTC
that works indeed. what now?

Comment 5 Tomas Mraz 2019-05-27 11:50:32 UTC
I am going to apply this patch of course, but it would still be interesting to know why the decode error alert is sent. Is that rather a server-side problem or nss is doing something wrong?

There is also bug 1713416 which is probably a duplicate.

Comment 6 Martin Wolf 2019-05-27 12:25:18 UTC
I'm in contact with the site owner and they also have no clue why this happens, since they dont even utilize this curve. according to ssllabs.com they use SECP384R1

Comment 7 Fedora Update System 2019-05-27 13:02:56 UTC
crypto-policies-20190527-1.git0b3add8.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d

Comment 8 Fedora Update System 2019-05-27 13:03:00 UTC
crypto-policies-20190527-1.git0b3add8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8

Comment 9 Alicja Kario 2019-05-27 16:21:54 UTC
While there is a bug in crypto-policies: X25519 should not be disabled in DEFAULT policy, the interoperability issue is caused by a bug in server, which most likely is using LibreSSL.

I was able to reproduce it using local build of LibreSSL so I've filed https://github.com/libressl-portable/portable/issues/531 upstream.

Comment 10 Fedora Update System 2019-05-28 02:28:00 UTC
crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d

Comment 11 Fedora Update System 2019-05-28 03:50:09 UTC
crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8

Comment 12 Daiki Ueno 2019-05-28 07:57:12 UTC
*** Bug 1713416 has been marked as a duplicate of this bug. ***

Comment 13 Fedora Update System 2019-06-12 00:45:46 UTC
crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2019-06-12 02:05:01 UTC
crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Shadders 2019-06-13 12:34:33 UTC
Hi,
For Fedora 29 obtaining the following as of yesterday :

=======================================
Skipping packages with conflicts:
(add '--best --allowerasing' to command line to force their upgrade):
 crypto-policies         noarch   20190527-1.git0b3add8.fc29   updates     51 k
========================================


Using the --best and --allowerasing obtained the following :

========================================
(try to add '--skip-broken' to skip uninstallable packages)
========================================
Did not capture the issue of reporting that conflict with other libraries.

Today :
========================================
 Problem: package crypto-policies-20190527-1.git0b3add8.fc29.noarch conflicts with libreswan < 3.28 provided by libreswan-3.27-1.fc29.x86_64
  - cannot install the best update candidate for package libreswan-3.27-1.fc29.x86_64
  - cannot install the best update candidate for package crypto-policies-20190211-2.gite3eacfc.fc29.noarch
=========================================

Regards,
Shadders.

Comment 16 Tomas Mraz 2019-06-13 12:50:13 UTC
Please just enable the testing repository temporarily. There is libreswan update there that should resolve this conflict.

Comment 17 Shadders 2019-06-13 13:02:43 UTC
Hi,
Thanks. I am a novice, so will await the stable repository update, rather than tinker with the PC. 
Regards,
Shadders.

Comment 18 Tomas Mraz 2019-06-13 14:13:54 UTC
You can just use

dnf --enablerepo=updates-testing update crypto-policies

And then you will be able to do normal dnf update to update the rest of the system without a problem.

Or of course you can wait with the updates until the libreswan update makes it into stable.


Note You need to log in before you can comment on or make changes to this bug.