[Bug 1872778] Re: update-crypto-policies not affecting Gnome Online Accounts
Steven Jay Cohen
1872778 at bugs.launchpad.net
Tue Apr 14 19:59:47 UTC 2020
1. The specific steps or actions you took that caused you to encounter
the problem.
a. Go to Gnome Online Accounts and add a Google Apps Account (in my case nyu.edu)
b. After entering the email address see the following error:
Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
c. Use update-crypto-policies to change setting to LEGACY and EMPTY then repeating step A
d. Attempted the connection again.
2. The behavior you expected.
I would have expected to be able to connect under LEGACY or EMPTY. Or,
alternatively, I would have expected a different error message (since by
definition LEGACY would have accepted the shorter prime and EMPTY
wouldn't have needed it).
3. The behavior you actually encountered (in as much detail as
possible).
See that the error message still talks about "not long enough" in all 3
cases.
If you check the duplicate cases you will see that as of 20.04
connections are failing because of weak crypto. The only workaround is
to tell the local system to lower its standards (LEGACY or NONE) until
the people running the server get their act together.
But, since the error message remains constant, even when the setting has
been changed, it looks like the mechanism running Online Accounts might
not be referencing the setting like it should.
Now, it could just as likely be a poorly worded error message.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls28 in Ubuntu.
https://bugs.launchpad.net/bugs/1872778
Title:
update-crypto-policies not affecting Gnome Online Accounts
Status in gnome-online-accounts package in Ubuntu:
Incomplete
Status in gnutls28 package in Ubuntu:
Confirmed
Bug description:
-crypto-policies 20190816git-1
-gnome-online-accounts 3.36.0-1ubuntu1
Changing between DEFAULT, LEGACY, and EMPTY has no affect on attempts
to connect to accounts through Online Accounts.
Changing to LEGACY or EMPTY should at least change the following
error:
Error performing TLS handshake: The Diffie-Hellman prime sent by the
server is not acceptable (not long enough).
Under either LEGACY or EMPTY the (not long enough) error is
nonsensical. The persistence of the incorrect error message could
imply that gnome-online-accounts is not respecting settings made by
crypto-policies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-online-accounts/+bug/1872778/+subscriptions
More information about the foundations-bugs
mailing list