Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1549096

Summary: FF and TB can't connect to several sites due to SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY error
Product: [Fedora] Fedora Reporter: Vít Ondruch <vondruch>
Component: crypto-policiesAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jorton, kengert, lef, nmavrogi, pwouters, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-26 15:58:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vít Ondruch 2018-02-26 11:50:48 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Vít Ondruch 2018-02-26 11:56:18 UTC
Sorry, somehow hit enter too early :/

Nevertheless, this is a bit blind shot, since I really don't know what might be the root cause of my issues. But since I updated my Rawhide last week, I have issues connecting to some sites using FF due to errors like:

~~~
An error occurred during a connection to ****.com. Při komunikaci protokolem SSL byl v inicializační zprávě typu Server Key Exchange obdržen slabý klíč typu Diffie-Hellman. Error code: SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
~~~

I have similar issues connecting my TB to the mail server [1]. I have not updated neither FF nor TB, so it must be something else. Any idea what it could be? I can provide you list of updated libraries if that helps.



$ rpm -q ca-certificates 
ca-certificates-2018.2.22-2.fc28.noarch


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1548016

Comment 2 Vít Ondruch 2018-02-26 11:58:50 UTC
Actually, this might be crypto-policies, which were updated as well:

$ rpm -q crypto-policies
crypto-policies-20180112-1.git386e3fe.fc28.noarch

Comment 3 Nikos Mavrogiannopoulos 2018-02-26 15:23:35 UTC
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings

Comment 4 Nikos Mavrogiannopoulos 2018-02-26 15:25:00 UTC
Thank you for reporting that. Could you please move that issue to the tracking bug of the change? We are already aware of the fact that some internal (usually) sites fail to work with the new rule, but it is good to have it explicit.

#1534532

Comment 5 Vít Ondruch 2018-02-26 15:29:25 UTC
(In reply to Nikos Mavrogiannopoulos from comment #4)
> Could you please move that issue to the
> tracking bug of the change?

Sorry, I am not sure what do you mean by this. Should I comment there and close this one or should I just block the tracking bug by this one?

Comment 6 Vít Ondruch 2018-02-26 15:31:03 UTC
BTW if you can send a short note to fedora-devel that this change landed and it might cause some issues, it could save some time to Rawhide users.

Also, for FF and TB, there is workaround. In about:config change every "dhe" option to "False", although it works for some sites but breaks others.

Comment 7 Vít Ondruch 2018-02-26 15:34:41 UTC
*** Bug 1548016 has been marked as a duplicate of this bug. ***

Comment 8 Nikos Mavrogiannopoulos 2018-02-26 15:39:28 UTC
Yes, please close that one and report the issue (+the sites affected) in #1534532. I've just sent a fedora-devel update on that.

Comment 9 Vít Ondruch 2018-02-26 15:58:57 UTC
Closing this in favor of bug 1534532