I am hoping I am missing something fairly obvious but it would appear any interaction via command line (or if overridden by another application policy) with a site presenting TLSv1/SSLv3 initially is completely broken in F29 Since I upgraded to F29, any site I come across via SSL functionality (ex: github) that initially presents TLSv1/SSLv3, my commands will forcefully exit with a generic error message > curl https://github.com curl: (35) error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback > openssl s_client -connect github.com:443 CONNECTED(00000004) 139888006719296:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:ssl/statem/statem_lib.c:1929: So I dug around a little bit and noticed it was because, in this example, github was first offering TLSv1/SSLv3 --- SSL handshake has read 3582 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 However, because there is a StrongCryptoSettings set to disallow < TLS 1.2, it completely bombs out of the low level C functions with this obscure message. When I forcefully disable access to TLSv1 or 1.1 I can see that support for renegotiation is off but I can now communicate securely with github > openssl s_client -connect github.com:443 -no_tls1 -no_tls1_1 -no_tls1 {....} --- SSL handshake has read 3621 bytes and written 382 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_128_GCM_SHA256 My thought is that a better implementation would be to yes, continue to NOT support TLSv1/SSLv3 but do support renegotiating to > 1.2 rather than obscurely bombing out entirely... So can anyone point me in the right direction to get this working again? I've reached out to github about the TLSv1/SSLv3 thing but I need a stopgap anyway. I cant seem to find a way to make git commands use something other than what openssl negotiates but if openssl libraries are bombing out before renegotiation then there seems to be very little I can do and I cant locate this policy that is referenced here https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
