Firefox detects the URL of the captive portal, but is unable to load the URL. https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html I get an SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM error. Reproducible: Always Steps to Reproduce: 1. Go to https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html in Firefox Actual Results: SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM error Expected Results: Page should load 'openssl s_client -connect stagecoach.on.icomera.com:443' works fine. The page also loads fine with chromium. I am using the DEFAULT:DH-SIZE crypto policy. /etc/crypto-policies/modules/DH-SIZE.pmod contains: # https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.org/message/QWIVDHSPRM3H7W4ZOCGMVOQ2XXRSAT44/ min_dh_size = 2047 The default min DH size is 2048, so this relaxes that requiremnt; as such it should not be related to this problem.
If I change the crypto policy to simply "DEFAULT" then OpenSSL rejects the connection just like Firefox: $ curl 'https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html' curl: (35) OpenSSL/3.0.9: error:0A000172:SSL routines::wrong signature type Setting it back to DEFAULT:DH-SIZE gets OpenSSL/curl working again. So perhaps the problem is that Firefox/NSS don't obey the min_dh_size crypto-policies option? $ update-crypto-policies --show DEFAULT:DH-SIZE $ /usr/lib64/nss/unsupported-tools/tstclnt -b -D -h stagegoach.on.icomera.com tstclnt: read from socket failed: SSL_ERROR_UNSUPPORTED_VERSION: Peer using unsupported version of security protocol. $ curl -sS -I 'https://stagecoach.on.icomera.com/?url=http%3A%2F%2Fdetectportal.firefox.com%2Fcanonical.html' | head -n1 HTTP/1.1 200 OK