Re: Fedora 29 - Interaction with TLSv1/SSLv3 completely broken

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 4 Mar 2019 at 09:14, Charles Kozler <ckozleriii@xxxxxxxxx> wrote:
I am hoping I am missing something fairly obvious but it would appear any interaction via command line (or if overridden by another application policy) with a site presenting TLSv1/SSLv3 initially is completely broken in F29

Since I upgraded to F29, any site I come across via SSL functionality (ex: github) that initially presents TLSv1/SSLv3, my commands will forcefully exit with a generic error message

> curl https://github.com
curl: (35) error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback

> openssl s_client -connect github.com:443
CONNECTED(00000004)
139888006719296:error:1425F175:SSL routines:ssl_choose_client_version:inappropriate fallback:ssl/statem/statem_lib.c:1929:

So I dug around a little bit and noticed it was because, in this example, github was first offering TLSv1/SSLv3

[...]
 
My thought is that a better implementation would be to yes, continue to NOT support TLSv1/SSLv3 but do support renegotiating to > 1.2 rather than obscurely bombing out entirely...

So can anyone point me in the right direction to get this working again? I've reached out to github about the TLSv1/SSLv3 thing but I need a stopgap anyway. I cant seem to find a way to make git commands use something other than what openssl negotiates but if openssl libraries are bombing out before renegotiation then there seems to be very little I can do and I cant locate this policy that is referenced here https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2


Recent curl has --tlsv1.2 and --tlsv1.3 options.  Do these allow you to connect to github?

There is a TLDNR discussion of policy management  at https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/B4YAC3KZOJUT4V6B3EVYZIDKHELU5NRA/
 
--
George N. White III

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux