Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1821934
Summary: | Fedora 32: It looks like the protocol TLS 1.0/1.1 are disabled by default | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dario Lesca <d.lesca> |
Component: | glib-networking | Assignee: | Matthias Clasen <mclasen> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 32 | CC: | crypto-team, dueno, fweimer, gnome-sig, lef, mcatanza, mclasen, mike, nmavrogi, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | glib-networking-2.64.2-1.fc32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-25 02:22:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dario Lesca
2020-04-07 21:00:40 UTC
Daiki, apparently GnuTLS does not enable TLS 1.0 and 1.1 with NORMAL priority by default. Is that true? If so, we will need the gnutls back-end generator updated to enable TLS 1.0 and TLS 1.1 if in policy. (In reply to Tomas Mraz from comment #1) > Daiki, apparently GnuTLS does not enable TLS 1.0 and 1.1 with NORMAL > priority by default. Is that true? Beginning with GnuTLS 3.7, yes. But in Fedora 32 we have GnuTLS 3.6 still. Problem is, glib-networking tries to match web browsers in addition to system policy, so it uses -VERS-TLS1.1:-VERS-TLS1.0 because web browsers planned TLS 1.0/1.1 disablement for March 2020 and glib-networking 2.64 release was scheduled for March. That made sense at the time, but browsers have delayed TLS 1.0/1.1 disablement indefinitely because some government COVID-19 website only supported TLS 1.0. So we need to push an update to reenable these protocols for F32. (glib-networking can't directly use system policy because, although Fedora system policy might not be too far behind what web browsers are doing, upstream policies move much too slow. E.g. GnuTLS 3.6 branch will never disable TLS 1.0/1.1, but it might be a long time before GnuTLS 3.7 is stable.) FEDORA-2020-60b926a6f5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-60b926a6f5 FEDORA-2020-60b926a6f5 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-60b926a6f5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-60b926a6f5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. (In reply to Fedora Update System from comment #4) > FEDORA-2020-60b926a6f5 has been pushed to the Fedora 32 testing repository. > In short time you'll be able to install the update with the following > command: > `sudo dnf upgrade --enablerepo=updates-testing > --advisory=FEDORA-2020-60b926a6f5` > You can provide feedback for this update here: > https://bodhi.fedoraproject.org/updates/FEDORA-2020-60b926a6f5 > > See also https://fedoraproject.org/wiki/QA:Updates_Testing for more > information on how to test updates. I have install this update testing and the access to old email server (TLS<1.2) via evolution work again. Thank to all Dario FEDORA-2020-60b926a6f5 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |