Re: Fedora 29 - Interaction with TLSv1/SSLv3 completely broken

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/5/19 4:47 AM, Charles Kozler wrote:

I mean, I show exactly what the issue is...and while it would suggest it is two part, the fact is this didnt occur in < F29
I don't have an older release handy, and I don't know how its security policy is set.  I will note that Google Chrome only enabled "full" support for TLS 1.3, with downgrade protection, in version 72 on Jan 30.  It's barely one month old.  The idea that full support wasn't turned on in F28 wouldn't surprise me at all. 



and there is a link pointing out the changes to not support < TLS v1.3.



The link you found was a proposal.  It has not been accepted yet:
https://fedoraproject.org/wiki/Releases/29/ChangeSet

...also, the proposal was to disable TLS < 1.2, not 1.3.



It boils down to github offering TLSv1 session and the Palo Alto not honoring the secure renegotiation keeping the connection to TLSv1.1 of which the new policy changes in F29 break this - this is the two part problem but the breaking change was in the policy change in F29 - which is what brings me to this post to try to identify where in the system I change said policies
That's not now TLS works.  Peers don't start with a low version and ratchet up, they start with the highest version they support and settle on the best possible.  Your inspection device is downgrading the TLS protocol, and the endpoints can see that they support a higher version than they initially negotiated.  TLS 1.3 prohibits that. 

https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html
As I mentioned previously, you need to disable TLS 1.3 to work around the problem.  As far as I know, there's no system-wide way to do that.  (See the man pages for crypto-policies and update-crypto-policies).  You can set minimums system-wide, but not maximums.  Once you disable support for 1.3, the client and server should negotiate tls 1.2 connections, which your inspection device presumably supports adequately. 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux