1698681 – mumble SSL errors.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1698681 - mumble SSL errors.

Summary: mumble SSL errors.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mumble
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Rex Dieter
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-11 00:18 UTC by Carlos O'Donell
Modified:	2019-05-28 02:00 UTC (History)
CC List:	10 users (show)
Fixed In Version:	mumble-1.2.19-14.fc30 mumble-1.2.19-14.fc29
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-22 01:40:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Carlos O'Donell 2019-04-11 00:18:30 UTC

Description of problem:
Mumble fails to connect to server and reports SSL issues.

Version-Release number of selected component (if applicable):
mumble-1.2.19-12.fc30.x86_64

How reproducible:
Start mumble and try to connect to a server.

Steps to Reproduce:
1. Start mumble.
2. Pick server from list.
3. Click connect.

Actual results:

stdout shows:
OpenSSL Support: 1 (OpenSSL 1.1.1b FIPS  26 Feb 2019)
ServerHandler: TLS cipher preference is "TLS_AES_256_GCM_SHA384"

client shows:
[8:14 PM] Server connection failed: Invalid or empty cipher list (error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match).

... and repeats this over and over as it tries to reconnect.

- Server does not connect.
- Clicking configure->settings causes a a SIGSEGV:

(gdb) bt
#0  0x0000555555740112 in  ()
#1  0x0000555555741b8d in  ()
#2  0x0000555555615172 in  ()
#3  0x0000555555779609 in  ()
#4  0x00007ffff649e62a in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () at /lib64/libQtCore.so.4
#5  0x00007ffff6dd7b95 in QComboBox::currentIndexChanged(int) ()
    at /lib64/libQtGui.so.4
#6  0x00007ffff6dd7c46 in  () at /lib64/libQtGui.so.4
#7  0x00007ffff6dd7f53 in  () at /lib64/libQtGui.so.4
#8  0x00007ffff6dd81c3 in QComboBox::setCurrentIndex(int) ()
    at /lib64/libQtGui.so.4
#9  0x00007ffff649e966 in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () at /lib64/libQtCore.so.4
#10 0x00007ffff64e9b58 in QAbstractItemModel::rowsInserted(QModelIndex const&, int, int) () at /lib64/libQtCore.so.4
#11 0x00007ffff6482e8e in QAbstractItemModel::endInsertRows() ()
    at /lib64/libQtCore.so.4
#12 0x00007ffff6faac63 in  () at /lib64/libQtGui.so.4
#13 0x00007ffff6fab2f6 in  () at /lib64/libQtGui.so.4
#14 0x00007ffff6dd91b4 in QComboBox::insertItem(int, QIcon const&, QString const&, QVariant const&) () at /lib64/libQtGui.so.4
#15 0x0000555555614331 in  ()
--Type <RET> for more, q to quit, c to continue without paging--
#16 0x0000555555614726 in  ()
#17 0x00005555556ae771 in  ()
#18 0x000055555563e5f6 in  ()
#19 0x000055555577b2af in  ()
#20 0x000055555577b5fb in  ()
#21 0x00007ffff649e62a in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) ()
    at /lib64/libQtCore.so.4
#22 0x00007ffff69fe616 in QAction::triggered(bool) () at /lib64/libQtGui.so.4
#23 0x00007ffff69ff9bf in QAction::activate(QAction::ActionEvent) () at /lib64/libQtGui.so.4
#24 0x00007ffff6e3da0b in  () at /lib64/libQtGui.so.4
#25 0x00007ffff6e41fa1 in  () at /lib64/libQtGui.so.4
#26 0x00007ffff6a59a96 in QWidget::event(QEvent*) () at /lib64/libQtGui.so.4
#27 0x00007ffff6e454bb in QMenu::event(QEvent*) () at /lib64/libQtGui.so.4
#28 0x00007ffff6a04461 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () at /lib64/libQtGui.so.4
#29 0x00007ffff6a0c034 in QApplication::notify(QObject*, QEvent*) () at /lib64/libQtGui.so.4
#30 0x00007ffff648a2af in QCoreApplication::notifyInternal(QObject*, QEvent*) () at /lib64/libQtCore.so.4
#31 0x00007ffff6a0a7e5 in QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&, bool) () at /lib64/libQtGui.so.4
#32 0x00007ffff6a816ab in  () at /lib64/libQtGui.so.4
#33 0x00007ffff6a80159 in QApplication::x11ProcessEvent(_XEvent*) () at /lib64/libQtGui.so.4
#34 0x00007ffff6aa6fff in  () at /lib64/libQtGui.so.4
#35 0x00007ffff5caefa0 in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#36 0x00007ffff5caf338 in  () at /lib64/libglib-2.0.so.0
#37 0x00007ffff5caf3e3 in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#38 0x00007ffff64b8206 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /lib64/libQtCore.so.4
#39 0x00007ffff6aa719b in  () at /lib64/libQtGui.so.4
#40 0x00007ffff6488a93 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
    at /lib64/libQtCore.so.4
#41 0x00007ffff6488dae in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () at /lib64/libQtCore.so.4
#42 0x00007ffff648e23e in QCoreApplication::exec() () at /lib64/libQtCore.so.4
#43 0x00005555555e72dc in  ()
--Type <RET> for more, q to quit, c to continue without paging--
#44 0x00007ffff5dd5f33 in __libc_start_main () at /lib64/libc.so.6
#45 0x00005555555e9c7e in  ()
(gdb) 

Expected results:
- It works and connects to server.

Comment 1 Carlos O'Donell 2019-04-11 00:22:24 UTC

Connecting to the server works (server name redacted) and seems to work.

openssl s_client -showcerts -connect xxx.xxxx.xxx:64738
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 335 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Comment 2 Rex Dieter 2019-04-12 15:31:32 UTC

Can you retest trying:

openssl s_client -cipher 'TLS_AES_256_GCM_SHA384' -connect xxx.xxxx.xxx:64738

??

Another thing to try, use update-crypto-policy to be more permissive, (as root):

update-crypto-policies --set LEGACY

(to put things back they way they were, run:
update-crypto-policies --set DEFAULT
)

and see if that helps?

Comment 3 Anton Oussik 2019-04-15 00:23:02 UTC

I too have this problem.

Entering the openssl command you suggested generates this output:

Error with command: "-cipher TLS_AES_256_GCM_SHA384"
140636483376960:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

Changing the crypto policy to LEGACY does not change the output of that command, or behaviour of mumble.

Comment 4 Anton Oussik 2019-04-15 00:30:23 UTC

Additionally, without -cipher argument I get output containing the following:

No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1559 bytes and written 467 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

Comment 5 Anton Oussik 2019-05-06 11:26:00 UTC

Building mumble 1.3-rc1 fixes this for me.

I suggest resolving this bug by bumping mumble to a more recent version.

Comment 6 Marco Schmidt 2019-05-07 04:51:40 UTC

This seems to be a problem of murmur. Since the upgrade from F29 to F30 it only offers TLS_AES_256_GCM_SHA384 as cipher and completely ignores crypto-policy settings. I've seen murmur-1.2.19-10.fc29 offering a lot more ciphers, after updating to F30 with 1.2.19-12.fc30 there's only one left (s.a.).

mumble-1.2.19-12.fc30 crashes every time I'm trying to start it, there's already another bug filed at https://bugzilla.redhat.com/show_bug.cgi?id=1706626

Sad days for mumble / murmur users on F30 :-/

Comment 7 bztdlinux 2019-05-07 16:14:56 UTC

It's not just murmur - connecting to public murmur instances also fails for me.

Comment 8 Stepan Broz 2019-05-11 22:49:44 UTC

I also have this problem, setting crypto-policies to LEGACY does not solve the issue.

Comment 9 Stepan Broz 2019-05-12 00:15:08 UTC

I wrote a patch for the SSL error that fixes my mumble issues, can anyone confirm that murmur issues are also addressed -- if there were any?

https://bugzilla.redhat.com/show_bug.cgi?id=1708925#c15

Made scratch-built packages for x86_64 (they will disappear in few days) check https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322

This build uses the patch from 1706626, and mine from 1708925 in a single .patch file. Works for me.

Comment 10 Will Foster 2019-05-16 13:47:39 UTC

Came to report I'm having the same issue, it's not possible to downgrade to the fc29 mumble without breaking libprotobuf

Comment 11 Will Foster 2019-05-16 14:02:12 UTC

(In reply to Stepan Broz from comment #9)
> I wrote a patch for the SSL error that fixes my mumble issues, can anyone
> confirm that murmur issues are also addressed -- if there were any?
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1708925#c15
> 
> Made scratch-built packages for x86_64 (they will disappear in few days)
> check https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322
> 
> This build uses the patch from 1706626, and mine from 1708925 in a single
> .patch file. Works for me.

Hey Stephan, I can confirm that I'm able to connect to servers again with your patched RPM.

However I keep getting disconnected after some short period of time.

Comment 12 Stepan Broz 2019-05-16 14:19:20 UTC

Hi, thanks for the feedback. Hopefully the package maintainer will address the issues soon.

I don't have any disconnect issues, though. Maybe that is a different/unrelated issue? Check the murmur logs, if you have access to them, and mumble client console for errors.

Comment 13 Will Foster 2019-05-16 15:13:46 UTC

(In reply to Will Foster from comment #11)
> (In reply to Stepan Broz from comment #9)
> > I wrote a patch for the SSL error that fixes my mumble issues, can anyone
> > confirm that murmur issues are also addressed -- if there were any?
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1708925#c15
> > 
> > Made scratch-built packages for x86_64 (they will disappear in few days)
> > check https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322
> > 
> > This build uses the patch from 1706626, and mine from 1708925 in a single
> > .patch file. Works for me.
> 
> Hey Stephan, I can confirm that I'm able to connect to servers again with
> your patched RPM.
> 
> However I keep getting disconnected after some short period of time.

After some further testing the disconnects were on my end, the patched RPM from Stephan work fine for me here:

https://koji.fedoraproject.org/koji/taskinfo?taskID=34800322

Comment 14 Rex Dieter 2019-05-16 16:11:28 UTC

I can help pull in fixes into packaging today

Comment 15 Fedora Update System 2019-05-16 17:21:53 UTC

mumble-1.2.19-13.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 16 Fedora Update System 2019-05-16 17:22:57 UTC

mumble-1.2.19-13.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 17 Marco Schmidt 2019-05-16 18:35:57 UTC

Thanks for the update, it also fixes https://bugzilla.redhat.com/show_bug.cgi?id=1706626

Comment 18 Fedora Update System 2019-05-17 03:48:47 UTC

mumble-1.2.19-13.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 19 Fedora Update System 2019-05-17 15:37:57 UTC

mumble-1.2.19-13.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 20 Fedora Update System 2019-05-17 20:42:47 UTC

mumble-1.2.19-14.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 21 Fedora Update System 2019-05-17 20:43:32 UTC

mumble-1.2.19-14.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 22 Fedora Update System 2019-05-18 00:53:51 UTC

mumble-1.2.19-14.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-03f5772e40

Comment 23 Fedora Update System 2019-05-18 04:11:13 UTC

mumble-1.2.19-14.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-0f25c63522

Comment 24 Fedora Update System 2019-05-22 01:40:02 UTC

mumble-1.2.19-14.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2019-05-28 02:00:43 UTC

mumble-1.2.19-14.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.