Adrian Sevcenco wrote:
> Does anyone have a pointer or idea what changed in terms
> of ciphers or algos or curves between the two versions?
>
> i have 2 pierces of software : the server which is java
> based and the client (python based, websockets)
>
> on centos7 1.0.2.k-fips i can connect to the localhost but
> in fedora{30,31} i have an SSLV3_ALERT_CERTIFICATE_UNKNOWN
> error
>
> Any idea whats is going on?
The error suggests that the application you're running
is using SSLv3 which is not supported. The POODLE attack
effectively killed SSLv3.
I'm not sure if you can even enable SSLv3 with Fedora's
openssl anymore. If you can, it's likely by using
update-crypto-policies to set to LEGACY or some other
profile which includes support for broken protocols like
SSLv3.
It's far better to fix the application to use a secure
protocol though.
If this app is only running on localhost and accessible
there, you might just be better off dropping TLS/SSL
entirely. Obviously, that's not a reasonable solution if
this needs to be accessed outside of your local system. But
then, neither is using SSLv3 in that case. :)
The openssl s_client command is useful for testing these
sort of things. It can help you see what protocols are
being attempted.
--
Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
