On 06/01/2021 13:03, Chris Adams wrote:
Once upon a time, Ed Greshko <ed.greshko@xxxxxxxxxxx> said:
On 06/01/2021 08:03, Chris Adams wrote:
Off to file a bug, against crypto-policies I guess to start.
Well, I don't know why you'd do that.
I just did "sudo update-crypto-policies --set LEGACY" on an F33 system, restarted the system as
suggested, and I was able to access that site just fine.
Because that's not supposed to be necessary. The site's crypto appears
to be okay (as far as I can tell), and so weakening all crypto on my
system to access it is not a legitimate solution. And the whole point
of having system crypto policies is that they are supposed to be
consistently applied, yet they are not (it's pretty evenly split that
some clients work and some do not). There is something broken - that's
why I filed a bug.
What is the BZ# ?
FWIW....
On an F33 system with
[egreshko@meimei ~]$ update-crypto-policies --show
DEFAULT
I get....
[egreshko@meimei ~]$ openssl s_client -connect support.juniper.net:443
CONNECTED(00000003)
140633250584384:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
And with
[egreshko@f33kr ~]$ update-crypto-policies --show
LEGACY
I get....
[egreshko@f33kr ~]$ openssl s_client -connect support.juniper.net:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
verify return:1
depth=0 C = US, postalCode = 94089, ST = California, L = Sunnyvale, street = 1133 Innovation Way, O = "Juniper Networks, Inc.", OU = Marketing, CN = support.juniper.net
verify return:1
---
Certificate chain
0 s:C = US, postalCode = 94089, ST = California, L = Sunnyvale, street = 1133 Innovation Way, O = "Juniper Networks, Inc.", OU = Marketing, CN = support.juniper.net
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHTTCCBjWgAwIBAgIQMm0RmW62JyCrdujZ8PK4kzANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
dmVyIENBMB4XDTIwMDcxMzAwMDAwMFoXDTIyMDcxMzIzNTk1OVowgbcxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQREwU5NDA4OTETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJU3Vubnl2YWxlMRwwGgYDVQQJExMxMTMzIElubm92YXRpb24gV2F5MR8w
HQYDVQQKExZKdW5pcGVyIE5ldHdvcmtzLCBJbmMuMRIwEAYDVQQLEwlNYXJrZXRp
bmcxHDAaBgNVBAMTE3N1cHBvcnQuanVuaXBlci5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDpIROhVOHXv2Hx5Q127urSBbhYfQQWhIr6DZeeNsFW
RLm9+QF3Gsx4IVrsOSIs5J2h/lX9vPtob9q0550VQEVEvI0Z93xAH6EQ3R3ezkK6
ap41pPKYeVHDfjFMExxpa66+5Wx97I2531z+T4XK6Ud5ciJuHhMFM/Z1wnc246Vz
jtNb6smtc6qSpWePVORhHNkE4mYdOwe3CHVstqgyAso98mcHAM3F2Dx7jhyhM6lU
hGjfCNhDqvdgtp5d/C/vutX1dmqRITHbckq/CLs0PPm0+xgx6HjFgTcNQzp2LW+A
RlSm4IngyvISMJOeckSRhpSUR9XeXrmHRQfCmWsRGEz7AgMBAAGjggNzMIIDbzAf
BgNVHSMEGDAWgBQX2dYlJ2f5McJJQ9kwNkSMbKlP6zAdBgNVHQ4EFgQUEvZnhkkF
jkKtqDKl58mlqeRJUycwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEoGA1UdIARDMEEwNQYMKwYBBAGy
MQECAQMEMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgG
BmeBDAECAjBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLnNlY3RpZ28uY29t
L1NlY3RpZ29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0Eu
Y3JsMIGKBggrBgEFBQcBAQR+MHwwVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuc2Vj
dGlnby5jb20vU2VjdGlnb1JTQU9yZ2FuaXphdGlvblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQS5jcnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29t
MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdQBGpVXrdfqRIDC1oolp9PN9ESxB
dL79SbiFq/L8cP5tRwAAAXNJ+9vTAAAEAwBGMEQCIH5G5zRnF26+TvDcE/BO7cKM
TK+1DQoEl1/l90vIfR7RAiBFlkO8MEvqo7aLffF7MpNYD/3HL1fdyC6Xfeq3fGRg
/QB3AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABc0n73HcAAAQD
AEgwRgIhAIAKniszipJ25mn3Sb5/2RYT4+r9JUMWaom8N79F9gfBAiEA8RLgyeRe
wgGdqEOWOtiwpzfnZpcGjhJLFD/8JPgzsE0AdgBvU3asMfAxGdiZAKRRFf93FRwR
2QLBACkGjbIImjfZEwAAAXNJ+9vGAAAEAwBHMEUCICuhMe9w7THJqBpFVPiUK2sx
d/RYX37IMbzmomnoYnH4AiEAuFCQgzIYO+KBzMA08qAi5xcJsQ0iAkGmD3uH0/GR
GSkwOQYDVR0RBDIwMIITc3VwcG9ydC5qdW5pcGVyLm5ldIIZc3VwcG9ydC1zdGFn
ZS5qdW5pcGVyLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAJ1EpIhZ573SKTw7kqKaI
GbF4CUlYSEfkBLsbuocnu2LIr3r68YeM/p0RtEX28x5V2mMrCuI/FdYpnckU3e2X
78apIvAO+bT+036DKozp0bcj6zhQgYSr3pbIaIiHWCPd9s06aidESc35DxJNCLVI
eLcVDsZeQcZp1TRC3vBLIyMwounWqic6RLbSj6CaN/zUTl7RVv2E3JbVA+zMGtLH
vV6cL1KokSGlReNvCVxlriLZ6wxXbOSyva0Mxwu7f1f4muz4DkQKcQ7FwgYE8tb6
3CTGxI9xisQQ/3g+vIH9GTH7EnmQuVQGhVJZhMxU2bIkNYrivPv8TxohCglZUYJw
lw==
-----END CERTIFICATE-----
subject=C = US, postalCode = 94089, ST = California, L = Sunnyvale, street = 1133 Innovation Way, O = "Juniper Networks, Inc.", OU = Marketing, CN = support.juniper.net
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6642 bytes and written 485 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D750348B57732D201F5EB1EE1EDB3D0DAA10AE5C2E6844D54B587DFC750F906F
Session-ID-ctx:
Master-Key: 4CD9E8EAC021E23F6A425A8788C07FCDC0B4A2D90747C1A9784315E5F4A256ACBC5E670ACB80C9E75259C931CAAEE1C1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 14400 (seconds)
TLS session ticket:
0000 - 14 3d 8f 47 81 9e a2 d8-e4 2f c5 83 4a 8e 85 86 .=.G...../..J...
0010 - 4c ee b4 f8 3d 70 e9 8b-bd 4c 95 51 97 b2 00 e4 L...=p...L.Q....
0020 - 44 0c 98 1f 57 2d 9c 73-f7 cb 84 0e 41 56 35 4c D...W-.s....AV5L
0030 - 28 1b c4 cf ff 7a d4 2b-5e cf 0d 56 9e fc 0a 8b (....z.+^..V....
0040 - bf 5f e0 0d 41 12 33 2d-5b 4c 52 60 cf 31 0f 51 ._..A.3-[LR`.1.Q
0050 - 34 03 1a dd 82 98 83 5b-a0 e4 45 ae c1 eb c1 86 4......[..E.....
0060 - d3 66 9e 25 70 92 24 c1-ab 00 bd f4 4e 33 41 18 .f.%p.$.....N3A.
0070 - 6a cf e3 19 f9 b8 af 69-c5 b6 06 39 0e 2b b4 a2 j......i...9.+..
0080 - d4 76 d9 27 c7 48 8f 9c-68 b1 34 43 87 e6 6b c9 .v.'.H..h.4C..k.
0090 - 2f aa df 79 67 ff 01 3d-06 ef 97 db 0f 0f cc 0d /..yg..=........
00a0 - b5 06 be af 0a de 05 5a-2c 27 25 2c 01 35 1b af .......Z,'%,.5..
Start Time: 1609910106
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
I don't know if there is a way to tell FF to use lesser security settings.
---
The key to getting good answers is to ask good questions.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
