update-crypto-policies not affecting Gnome Online Accounts

Bug #1872778 reported by Steven Jay Cohen
64
This bug affects 17 people
Affects Status Importance Assigned to Milestone
gnome-online-accounts (Ubuntu)
Incomplete
Low
Unassigned
gnutls28 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

-crypto-policies 20190816git-1
-gnome-online-accounts 3.36.0-1ubuntu1

Changing between DEFAULT, LEGACY, and EMPTY has no affect on attempts to connect to accounts through Online Accounts.

Changing to LEGACY or EMPTY should at least change the following error:

Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

Under either LEGACY or EMPTY the (not long enough) error is nonsensical. The persistence of the incorrect error message could imply that gnome-online-accounts is not respecting settings made by crypto-policies.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnutls28 (Ubuntu):
status: New → Confirmed
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and help make Ubuntu better. Unfortunately, we cannot work on this bug because your description didn't include enough information. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html. We'd be grateful if you would then provide a more complete description of the problem.

We have instructions on debugging some types of problems at http://wiki.ubuntu.com/DebuggingProcedures.

At a minimum, we need:
1. The specific steps or actions you took that caused you to encounter the problem.
2. The behavior you expected.
3. The behavior you actually encountered (in as much detail as possible).

Thanks!

Changed in gnome-online-accounts (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Steven Jay Cohen (stevenjaycohen) wrote :

1. The specific steps or actions you took that caused you to encounter the problem.

a. Go to Gnome Online Accounts and add a Google Apps Account (in my case nyu.edu)
b. After entering the email address see the following error:
Error performing TLS handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
c. Use update-crypto-policies to change setting to LEGACY and EMPTY then repeating step A
d. Attempted the connection again.

2. The behavior you expected.

I would have expected to be able to connect under LEGACY or EMPTY. Or, alternatively, I would have expected a different error message (since by definition LEGACY would have accepted the shorter prime and EMPTY wouldn't have needed it).

3. The behavior you actually encountered (in as much detail as possible).

See that the error message still talks about "not long enough" in all 3 cases.

If you check the duplicate cases you will see that as of 20.04 connections are failing because of weak crypto. The only workaround is to tell the local system to lower its standards (LEGACY or NONE) until the people running the server get their act together.

But, since the error message remains constant, even when the setting has been changed, it looks like the mechanism running Online Accounts might not be referencing the setting like it should.

Now, it could just as likely be a poorly worded error message.

Revision history for this message
Matt Green (mgreen1718) wrote :
Revision history for this message
Steven Jay Cohen (stevenjaycohen) wrote :

The workaround works. Good workaround. Looking forward to an eventual fix.

Revision history for this message
Sebastien Bacher (seb128) wrote :
Revision history for this message
dhenry (tfc-duke) wrote :

I just encountered this issue when upgrading from 21.10 to 22.04, not with a google account but with an orange.fr account. Workarounded thanks to #4.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers