Once upon a time, Ed Greshko <ed.gres...@greshko.com> said: > On 06/01/2021 04:10, Chris Adams wrote: > >I'm getting an error connecting to an HTTPS website with Firefox of > >SSL_ERROR_NO_CYPHER_OVERLAP on Fedora 33. How do I see what ciphers > >Firefox is configured to use? > > > >When I use a public scanner to see what the site supports, it appears > >that there are multiple secure ciphers available, so I don't know why > >Firefox doesn't like them (and it doesn't provide any more information). > > > >The site in question is https://support.juniper.net/. > > > >I understand adjusting Fedora settings to require good security, and I > >know I can lower security system-wide, but no debugging info is not > >good. And really - having to lower system-wide security settings to > >allow connection to one site is a poor design. > > See https://bugzilla.redhat.com/show_bug.cgi?id=1893581 and > https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2 > > In the second link, see the section on " Upgrade/compatibility impact"
Yeah, I see that, but I don't see what is wrong with support.juniper.net. If I set the system policy to LEGACY and run openssl s_client, I see: Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 6642 bytes and written 485 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit I can't see what is wrong; I think that all meets the policy. And that's a problem with the single all-encompassing policy... except oh by the way it isn't all-encompassing. Midori and Chromium both connect just fine; so can gnutls-cli (I don't know of a corresponding NSS client). So this appears to stop OpenSSL and NSS but not GnuTLS. Off to file a bug, against crypto-policies I guess to start. -- Chris Adams <li...@cmadams.net> _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
