Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1153814
Summary: | yum cannot access repositories using TLS 1.2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | curl | Assignee: | Kamil Dudka <kdudka> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 20 | CC: | bugzilla.blk, hannsj_uhl, kdudka, paul |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | curl-7.29.0-27.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-01 18:56:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Williamson
2014-10-16 20:53:54 UTC
FWIW I did try just patching the bits from curl 7.37's nss.c that enable the SHA256 ciphers into curl 7.32, it built it runs but it still won't connect to kraxel.org, and I can't specify the SHA256 ciphers with -ciphers on the command line (it says they're unknown). So I guess they may not be in F20's nss, even though it looks like it's a new enough version that it could have them. I'll look into it a bit more later. (In reply to Adam Williamson (Red Hat) from comment #0) > curl: (35) Cannot communicate securely with peer: no common encryption > algorithm(s). TLS 1.2 is not enabled by default in curl/nss, see bug #994599 for details. > Using -v, I can see curl's using its NSS backend (though ldd shows for some > reason it's built against both nss and openssl). NSS is used mainly to implement TLS in libcurl. openssl gets leaded via libssh2, which uses openssl crypto to implement SCP/SFTP protocols. I can backport the options of (lib)curl to enable TLS 1.2, but I am afraid that it will not help to resolve the issue with yum. Changing libcurl's default in an already released Fedora seems risky, given the fact that we are about to drop the fallback to SSLv3 at the same time: http://thread.gmane.org/gmane.comp.web.curl.library/43887 I have enabled TLS 1.2 by default in Fedora 20 and by option in Fedora 19. curl-7.29.0-26.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/curl-7.29.0-26.fc19 curl-7.32.0-16.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-16.fc20 Enabling it as an option won't help yum in f19 immediately, will it? yum would have to adjust its use of curl? Exactly. This update should not break working F19 installations whereas broken F19 installations can be fixed by upgrading to F20. In any case, the options added to enable new cipher-suites and TLS versions might be pretty useful to diagnostic issues like this. Package curl-7.32.0-16.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing curl-7.32.0-16.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15706/curl-7.32.0-16.fc20 then log in and leave karma (feedback). curl-7.32.0-16.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. curl-7.37.0-11.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/curl-7.37.0-11.fc21 curl-7.32.0-17.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/curl-7.32.0-17.fc20 curl-7.29.0-27.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/curl-7.29.0-27.fc19 curl-7.32.0-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. curl-7.37.0-11.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. curl-7.29.0-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. I'm getting this error on fc21 when attempting to reach https://test.do: $ curl https://test.do curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s). $ rpm -q curl curl-7.37.0-12.fc21.x86_64 $ curl --version curl 7.37.0 (x86_64-redhat-linux-gnu) libcurl/7.37.0 NSS/3.17.3 Basic ECC zlib/1.2.8 libidn/1.28 libssh2/1.4.3 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz Metalink Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) ECDH 256 bits (eq. 3072 bits RSA) FS 112 (In reply to IanB from comment #16) > I'm getting this error on fc21 when attempting to reach https://test.do: > > $ curl https://test.do > curl: (35) Cannot communicate securely with peer: no common encryption > algorithm(s). It connects successfully if you enable the requested cipher-suite: $ curl -svo/dev/null --ciphers ecdhe_ecdsa_aes_128_gcm_sha_256 https://test.do * Rebuilt URL to: https://test.do/ * Trying 2400:cb00:2048:1::681c:182e... * connect to 2400:cb00:2048:1::681c:182e port 443 failed: Network is unreachable * Trying 2400:cb00:2048:1::681c:192e... * connect to 2400:cb00:2048:1::681c:192e port 443 failed: Network is unreachable * Trying 104.28.25.46... * Connected to test.do (104.28.25.46) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=sni39227.cloudflaressl.com,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated * start date: Oct 18 00:00:00 2014 GMT * expire date: Sep 30 23:59:59 2015 GMT * common name: sni39227.cloudflaressl.com * issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB > GET / HTTP/1.1 > User-Agent: curl/7.40.0 > Host: test.do > Accept: */* > < HTTP/1.1 200 OK < Server: cloudflare-nginx < Date: Wed, 14 Jan 2015 08:12:54 GMT < Content-Type: text/html;charset=UTF-8 < Transfer-Encoding: chunked < Connection: keep-alive < Set-Cookie: __cfduid=d6e2c461df85d0a83e150ebe378eadaea1421223174; expires=Thu, 14-Jan-16 08:12:54 GMT; path=/; domain=.test.do; HttpOnly < Cache-Control: no-cache,no-store,must-revalidate < X-Hudson-Theme: default < Set-Cookie: JSESSIONID.ed7330dc=125ittf9euro417715g1ljvbo;Path=/;Secure;HttpOnly < Expires: Thu, 01 Jan 1970 00:00:00 GMT < X-Hudson: 1.395 < X-Jenkins: 1.594 < X-Jenkins-Session: 7b4bcba4 < X-Hudson-CLI-Port: 53595 < X-Jenkins-CLI-Port: 53595 < X-Jenkins-CLI2-Port: 53595 < X-Frame-Options: sameorigin < X-Instance-Identity: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoY90flR67oYHcdawaNBM4t8grQmoqa0jSYZPGo+ZgMh6E0QR+32AcOHYmDGOF/pVLl9EDH/t6h9dFeHg0huPi/zIL1iGh9ZhK/ar4q4+IXLmLNnwwcJ6+CeGCShNVQ/kB8ilkNCX0IXqVBbXVntmX/CenUgqMeMNdSvIzD0k8oTolQ+zTATytF4vNYbwFOwuOYqFEy3gZuwPt1oH6+IyN+3Ey5ksc9H/ukedQ+fpu6RE8gWdVT7alro2XOpVEdg0FLNPmnVBqtWJr+OVaEGuzL5Ol+23HDeVGAuMCKZqpCyi79wy2wGbDZFcA4l1afrwVISOwRsfHo+jioZcJLEgbQIDAQAB < X-SSH-Endpoint: test.do:45609 < CF-RAY: 1a885f0694920583-PRG < { [2938 bytes data] * Connection #0 to host test.do left intact |