On 11/26/19 10:13 PM, Todd Zullinger wrote:
Adrian Sevcenco wrote:Does anyone have a pointer or idea what changed in terms of ciphers or algos or curves between the two versions?i have 2 pierces of software : the server which is java based and the client (python based, websockets) on centos7 1.0.2.k-fips i can connect to the localhost but in fedora{30,31} i have an SSLV3_ALERT_CERTIFICATE_UNKNOWN error Any idea whats is going on?The error suggests that the application you're running is using SSLv3 which is not supported. The POODLE attack effectively killed SSLv3.
so, yeah, i overlook to give needed information : the s_client give me this : SSL handshake has read 1338 bytes and written 2102 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---140097724061504:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:ssl/record/rec_layer_s3.c:1543:SSL alert number 46
the CA is self-signed...also, in ubuntu with openssl 1.1.1 it works but in my fedora with 1.1.1d it does not ...
i keep looking over https://www.openssl.org/news/cl111.txt but nothing pops ... Does anyone have any idea? Thank you!! Adrian
I'm not sure if you can even enable SSLv3 with Fedora's openssl anymore. If you can, it's likely by using update-crypto-policies to set to LEGACY or some other profile which includes support for broken protocols like SSLv3. It's far better to fix the application to use a secure protocol though. If this app is only running on localhost and accessible there, you might just be better off dropping TLS/SSL entirely. Obviously, that's not a reasonable solution if this needs to be accessed outside of your local system. But then, neither is using SSLv3 in that case. :) The openssl s_client command is useful for testing these sort of things. It can help you see what protocols are being attempted. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
--
----------------------------------------------
Adrian Sevcenco, Ph.D. |
Institute of Space Science - ISS, Romania |
adrian.sevcenco at {cern.ch,spacescience.ro} |
----------------------------------------------
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
