Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Install latest firefox from fedora repo ( firefox-67.0-3.fc30 ) 2.open firefox and go to https://www.3dcenter.org/ Actual results: SSL_ERROR_DECODE_ERROR_ALERT Expected results: page loading Additional info: The website works with chromium-vaapi and the firefox downloaded from mozilla.org so there has to be something in this build. Also I have tested it in safemode to test without addons.
I did a bit of testing and found out that it is not firefox causing the problem but NSS. I reverted to nss-3.43.0-1.fc30.i686 nss-3.43.0-1.fc30.x86_64 nss-sysinit-3.43.0-1.fc30.x86_64 nss-tools-3.43.0-1.fc30.x86_64 and now I can access www.3dcenter.org again. Doing a distro-sync back to nss 3.44 makes the website inaccessible with the error described in my first post. Sorry for the confusion.
Thank you for the report. For some reason the server sends the alert if NSS doesn't include x25519 in the supported_groups extension. If you modify /etc/crypto-policies/back-ends/nss.config and add "CURVE25519" after the "allow=" clause, it should work: config="disallow=ALL allow=CURVE25519:HMAC-SHA256:..." I am not sure why this causes the difference, but perhaps because in that case the the key_share extension becomes longer than the server can handle.
that works indeed. what now?
https://gitlab.com/redhat-crypto/fedora-crypto-policies/merge_requests/44
I am going to apply this patch of course, but it would still be interesting to know why the decode error alert is sent. Is that rather a server-side problem or nss is doing something wrong? There is also bug 1713416 which is probably a duplicate.
I'm in contact with the site owner and they also have no clue why this happens, since they dont even utilize this curve. according to ssllabs.com they use SECP384R1
crypto-policies-20190527-1.git0b3add8.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d
crypto-policies-20190527-1.git0b3add8.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8
While there is a bug in crypto-policies: X25519 should not be disabled in DEFAULT policy, the interoperability issue is caused by a bug in server, which most likely is using LibreSSL. I was able to reproduce it using local build of LibreSSL so I've filed https://github.com/libressl-portable/portable/issues/531 upstream.
crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-6ade51841d
crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534728cfe8
*** Bug 1713416 has been marked as a duplicate of this bug. ***
crypto-policies-20190527-1.git0b3add8.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
crypto-policies-20190527-1.git0b3add8.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Hi, For Fedora 29 obtaining the following as of yesterday : ======================================= Skipping packages with conflicts: (add '--best --allowerasing' to command line to force their upgrade): crypto-policies noarch 20190527-1.git0b3add8.fc29 updates 51 k ======================================== Using the --best and --allowerasing obtained the following : ======================================== (try to add '--skip-broken' to skip uninstallable packages) ======================================== Did not capture the issue of reporting that conflict with other libraries. Today : ======================================== Problem: package crypto-policies-20190527-1.git0b3add8.fc29.noarch conflicts with libreswan < 3.28 provided by libreswan-3.27-1.fc29.x86_64 - cannot install the best update candidate for package libreswan-3.27-1.fc29.x86_64 - cannot install the best update candidate for package crypto-policies-20190211-2.gite3eacfc.fc29.noarch ========================================= Regards, Shadders.
Please just enable the testing repository temporarily. There is libreswan update there that should resolve this conflict.
Hi, Thanks. I am a novice, so will await the stable repository update, rather than tinker with the PC. Regards, Shadders.
You can just use dnf --enablerepo=updates-testing update crypto-policies And then you will be able to do normal dnf update to update the rest of the system without a problem. Or of course you can wait with the updates until the libreswan update makes it into stable.