Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1851585
Summary: | My openconnect VPN connection stoped working after upgrade crypto-policies to 20200625-1.gitb298a9e version (The Diffie-Hellman prime sent by the server is not acceptable) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
Component: | crypto-policies | Assignee: | Red Hat Crypto Team <crypto-team> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | crypto-team, lef, mikhail.v.gavrilov, nmavrogi, pwouters, robatino, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-29 09:15:33 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1766775, 1766776 |
Description
Mikhail
2020-06-27 08:28:42 UTC
Proposed as a Blocker and Freeze Exception for 33-beta by Fedora user mikhail using the blocker tracking app because: Broken basic functionality. Due to this bug, I cant work remotely. DHE-CUSTOM1024 - DiffieHellman 1024 is really just too weak. It was too weak in 1999. Anything that does DH1024 is able to do at least DH1536 or DH2048. Upgrade the server to accept stronger proposals (In reply to Paul Wouters from comment #2) > DHE-CUSTOM1024 - DiffieHellman 1024 is really just too weak. It was too > weak in 1999. Anything that does DH1024 is able to do at least DH1536 or > DH2048. > > Upgrade the server to accept stronger proposals My organization use Cisco ASA 5510 and Cisco 5585-X. I am not network admin but I suppose these hardware solutions that don't support other ciphers. Then please switch to LEGACY policy. It is there for exactly the situations like yours. update-crypto-policies --set LEGACY (In reply to Tomas Mraz from comment #4) > Then please switch to LEGACY policy. It is there for exactly the situations > like yours. > > update-crypto-policies --set LEGACY Thanks, it helped. I appreciate stronger security settings, but as a user I happier when my OS solves my tasks out of the box. Today many Fedora users working remotely due to COVID-19 and they will very surprised when after upgrade to F33 they couldn't connect to their work. My proposal that the security policy should restrict only server software. Users who are not system administrators shouldn't fill bugreports and search for answers on the Internet to perform simple actions (I think the connection to employer VPN server should be maximum simple action). P.S. I asked my network admins why Cisco ASA used "DiffieHellman 1024". The answer was simple "This is default" So I suppose nowadays most organizations used also proprietary Cisco ASA with default settings. Unfortunately without dropping support for weak ciphers, protocols and parameters from default configuration nobody without a clue would really move and we would probably still see RC4 or even DES with SSLv3 used almost everywhere. The legacy policy is there for a reason and the strong default is the way to go. |