Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1641834
Summary: | allow custom gnutls priority string via crypto-policies | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael Riss <Michael.Riss> |
Component: | openconnect | Assignee: | David Woodhouse <dwmw2> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | dwmw2, lupinix.fedora, nmavrogi, thomas |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openconnect-7.08-10.fc29 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-11 04:00:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael Riss
2018-10-22 23:43:32 UTC
Something I forgot: Currently the update-crypto-policies - mechanism cannot append custom configuration files to the system policy. But hopefully this will get resolved soon: https://bugzilla.redhat.com/show_bug.cgi?id=1641830 It makes sense to me, though I'm not sure I'll be able to get to it any time soon. Would you like to make a pull request at: https://src.fedoraproject.org/rpms/openconnect Nikos, I'm trying to make some progress towards a pull request. But I'm stuck at the step where I'm logged into src.fedoraproject.org, click on "fork" of https://src.fedoraproject.org/rpms/openconnect and I'm getting endlessly greeted by "You must sign the FPCA (Fedora Project Contributor Agreement) to use pagure", which I have signed already. I will need to find someone who can get me unstuck with this. So, I'm not unwilling ... just lost in the system atm. Thank you for letting me know. Could you report it to: https://pagure.io/fedora-infrastructure/issues and post here the ticket you have. It is important that we have it easy for people to contribute to fedora. Sorry for that. I opened the ticket (https://pagure.io/fedora-infrastructure/issue/7338). Kevin quickly resolved the problem with the failing fork and now I am able to submit a pull request. So far it's one for the f29 branch (https://src.fedoraproject.org/rpms/openconnect/pull-request/2). Should I also issue one for master (it's the same change)? openconnect-7.08-9.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bbd19daa2 openconnect-7.08-9.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5bbd19daa2 That change breaks VPN connection for me with NetworkManager, "Failed to set TLS priority string("@OPENCONNECT,@SYSTEM:%COMPAT"): The request is invalid" Downgrading to openconnect-7.08-8.fc29.x86_64 makes everything work again. Indeed. I can confirm this problem. This is my bad, I should have confirmed that invalid keywords get skipped as documented (https://gnutls.org/manual/html_node/Priority-Strings.html @KEYWORD). Instead it seems gnutls tries the first keyword and either this works or the whole init process fails. This package (openconnect-7.08-9.fc29) is bad and I would like to retract it. Currently, I think the issue needs to be resolved upstream in openconnect with a custom priority string as mentioned above or/and within gnutls to really iterate through the keywords until a valid one is found as documented. openconnect-7.08-10.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e2795753b3 There was a typo on how the fallback keywords were setup. Instead of "@OPENCONNECT,SYSTEM", @OPENCONNECT,@SYSTEM was used. openconnect-7.08-10.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e2795753b3 Indeed, this seems to do the trick. Great catch! openconnect-7.08-10.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report. |