Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1396719
Summary: | FUTURE cryptopolicy prevent dnf from updating | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael S. <misc> |
Component: | curl | Assignee: | Kamil Dudka <kdudka> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | kdudka, nmavrogi, paul, thomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | curl-7.51.0-3.fc26 curl-7.51.0-3.fc25 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-26 22:52:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael S.
2016-11-19 08:54:45 UTC
so after doing some fiddling, the issue is: tls-version-min=tls1.2 anything different from tls-version-min=tls1.0 fail. I am not sure if the issue is on curl side, or on the cryptopolicy side It seems the issue is in curl. If I provide explicitly TLS1.2 it works: $ curl --tlsv1.2 https://www.google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> ... Otherwise: $ curl https://www.google.com curl: (35) SSL version range is not valid. It seems its code cannot cope with NSS having TLS 1.0 or TLS 1.1 disabled. Thank you for reporting the bug! The following upstream commit will fix it: https://github.com/curl/curl/commit/curl-7_51_0-17-g5d45ced I have also included the --tlsv1.3 option to ease future testing of TLS 1.3: http://pkgs.fedoraproject.org/cgit/rpms/curl.git/commit/?id=c38149da Kamil could you include that fix in F25 as well? F25 is the first release with NSS supporting crypto policies. (In reply to Nikos Mavrogiannopoulos from comment #5) > Kamil could you include that fix in F25 as well? Sure. It is already included in dist-git (master and f25 share the same commit object). I am only waiting with the f25 build till the rawhide build finishes. Otherwise both the builds would fail due to port collisions in the upstream test suite in case a pair of builds was accidentally assigned to the same build host in Koji. curl-7.51.0-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f35ce8775 curl-7.51.0-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0f35ce8775 curl-7.51.0-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |