error "sslv3 alert handshake failure" on access attempt to vscode yum repos

pgnd commented 1 year ago

on

    lsb_release -rd
        Description:    Fedora release 38 (Thirty Eight)
        Release:        38

with

    rpm -qa | grep -i ^code
        code-1.81.1-1691620770.el7.x86_64

previously installed from repo,

    cat /etc/yum.repos.d/vscode.repo
        [code]
        name=Visual Studio Code
        baseurl=https://packages.microsoft.com/yumrepos/vscode
        enabled=1
        gpgcheck=1
        gpgkey=https://packages.microsoft.com/keys/microsoft.asc

on update, FAILs

    dnf update
        ...
        Visual Studio Code                                                            0.0  B/s |   0  B     00:00
        Errors during downloading metadata for repository 'code':
          - Curl error (35): SSL connect error for https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml [OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure]
        Error: Failed to download metadata for repo 'code': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
        Ignoring repositories: code
        ...

checking

    curl -v https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
        * processing: https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
        *   Trying 40.117.131.251:443...
        * Connected to packages.microsoft.com (40.117.131.251) port 443
        * ALPN: offers h2,http/1.1
        * TLSv1.3 (OUT), TLS handshake, Client hello (1):
        *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
        *  CApath: /etc/ssl/certs
        * TLSv1.3 (IN), TLS alert, handshake failure (552):
        * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
        * Closing connection
        curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

comparing

    curl -v https://download.virtualbox.org/virtualbox/rpm/fedora/36/x86_64/repodata/repomd.xml
        * processing: https://download.virtualbox.org/virtualbox/rpm/fedora/36/x86_64/repodata/repomd.xml
        *   Trying 23.215.200.105:443...
        * Connected to download.virtualbox.org (23.215.200.105) port 443
        * ALPN: offers h2,http/1.1
        * TLSv1.3 (OUT), TLS handshake, Client hello (1):
        *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
        *  CApath: /etc/ssl/certs
        * TLSv1.3 (IN), TLS handshake, Server hello (2):
        * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
        * TLSv1.3 (OUT), TLS handshake, Client hello (1):
        ...
        (success)
        * Connection #0 to host download.virtualbox.org left intact

mbearup commented 1 year ago

@pgnd, Apologies that you're encountering issues here.

I'm unable to repro your error on Fedora 38. The download occurs with no errors in my testing, using the latest fedora:38 container image with no modifications.
From the output, it looks like your client may be forcing the use of TLSv1.3, which may be contributing to the error.
Could you try running your command against our beta instance, and see if it repros? curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml

pgnd commented 1 year ago

@mbearup

tls v1.3 @ ms

curl -v https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    * processing: https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    *   Trying 13.90.56.68:443...
    * Connected to packages.microsoft.com (13.90.56.68) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.3 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    * processing: https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    *   Trying 20.221.151.72:443...
    * Connected to beta.packages.microsoft.com (20.221.151.72) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.3 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

tls v1.2 @ ms

curl --tlsv1.2 --tls-max 1.2 -v https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    * processing: https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    *   Trying 13.90.56.68:443...
    * Connected to packages.microsoft.com (13.90.56.68) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.2 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

curl --tlsv1.2 --tls-max 1.2 -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    * processing: https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    *   Trying 20.221.151.72:443...
    * Connected to beta.packages.microsoft.com (20.221.151.72) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.2 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

tls v1.2 @ oracle

curl --tlsv1.2 --tls-max 1.2 -v https://download.virtualbox.org/virtualbox/rpm/fedora/36/x86_64/repodata/repomd.xml
    * processing: https://download.virtualbox.org/virtualbox/rpm/fedora/36/x86_64/repodata/repomd.xml
    *   Trying 23.45.32.76:443...
    * Connected to download.virtualbox.org (23.45.32.76) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
    * ALPN: server accepted http/1.1
    * Server certificate:
    *  subject: C=US; ST=California; L=Redwood City; O=Oracle Corporation; CN=download.oracle.com
    ...

EDIT

ms' server lacks support for a variety of strong/modern TLS elliptic curve groups

https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/

requires inclusion of secp384r1

with

cat /etc/ssl/openssl.cnf
    ...
    Groups = x448:x25519:secp521r1:prime256v1

FAIL

curl -v https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    * processing: https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    *   Trying 13.90.56.68:443...
    * Connected to packages.microsoft.com (13.90.56.68) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.3 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

with

cat /etc/ssl/openssl.cnf
    ...
-   Groups = x448:x25519:secp521r1:prime256v1
+   Groups = x448:x25519:secp521r1:prime256v1:secp384r1

OK

curl -v https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    * processing: https://packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    *   Trying 13.90.56.68:443...
    * Connected to packages.microsoft.com (13.90.56.68) port 443
    * ALPN: offers h2,http/1.1
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    *  CAfile: /etc/pki/tls/certs/ca-bundle.crt
    *  CApath: /etc/ssl/certs
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
    * ALPN: server accepted http/1.1
    * Server certificate:
    ...

jasonzio commented 1 year ago

We've the packages.microsoft.com service infrastructure to offer TLSv1.3 (in addition to TLSv1.2) during HTTPS negotiation. Please open a new issue if you see this problem again (vs. reopening this issue).

pgnd commented 1 year ago

@jasonzio it's not just an issue of "offering" TLS 1.3/1.2

as above, it's also an issue of enabling key exchange groups beyond simply older/weaker secp384r1

the FAIL continues @ MS' servers as per OP if key exchange ciphers don't include it

mbearup commented 1 year ago

@pgnd, thanks for validating and providing additional details. Our ciphers and algorithms are governed by corporate policy, and I'm following up with our crypto experts for the latest guidance. Will follow-up here when we have clarity, but I expect we'll be able to enable, at a minimum, secp521r1 and prime256v1.

mbearup commented 1 year ago

@pgnd we've gotten approval to enable prime256v1 and X25519, and I've deployed these changes to beta.packages.microsoft.com. Could you confirm that https://beta.packages.microsoft.com/ now works for you? If so, we'll proceed to deploy these changes to our packages.microsoft.com mirrors.

pgnd commented 1 year ago

@mbearup

testing key exchange @ beta.packages.microsoft.com

x448       FAIL
x25519     OK
secp521r1  FAIL
sec384r1   OK
prime256v1 OK

refs: https://www.ietf.org/rfc/rfc9325.txt https://csrc.nist.gov/pubs/sp/800/186/final

detail

grep Groups /etc/ssl/openssl.cnf
    Groups = x448

curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    ...
    * Connected to beta.packages.microsoft.com (20.252.182.97) port 443
    ...
    * TLSv1.3 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

grep Groups /etc/ssl/openssl.cnf
    Groups = x25519

curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    ...
    * Connected to beta.packages.microsoft.com (20.221.151.72) port 443
    ...
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN: server accepted http/1.1
    * Server certificate:
    *  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=beta.packages.microsoft.com
    ...

grep Groups /etc/ssl/openssl.cnf
    Groups = secp521r1

curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    ...
    * Connected to beta.packages.microsoft.com (20.221.151.72) port 443
    ...
    * TLSv1.3 (IN), TLS alert, handshake failure (552):
    * OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure
    * Closing connection
    curl: (35) OpenSSL/3.0.9: error:0A000410:SSL routines::sslv3 alert handshake failure

grep Groups /etc/ssl/openssl.cnf
    Groups = secp384r1

curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    ...
    * Connected to beta.packages.microsoft.com (20.252.182.97) port 443
    ...
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN: server accepted http/1.1
    * Server certificate:
    *  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=beta.packages.microsoft.com

grep Groups /etc/ssl/openssl.cnf
    Groups = prime256v1

curl -v https://beta.packages.microsoft.com/yumrepos/vscode/repodata/repomd.xml
    ...
    * Connected to beta.packages.microsoft.com (20.221.151.72) port 443
    ...
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
    * ALPN: server accepted http/1.1
    * Server certificate:
    *  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=beta.packages.microsoft.com
    ...

mbearup commented 1 year ago

Thanks for confirming, @pgnd. Looks like the additional Elliptic Curve options are working.

microsoft / linux-package-repositories

error "sslv3 alert handshake failure" on access attempt to vscode yum repos #77