Bug 1100756

Summary: Installation of dovecot in FIPS mode hangs yum
Product: Red Hat Enterprise Linux 6 Reporter: Alicja Kario <hkario>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED ERRATA QA Contact: Alois Mahdal <amahdal>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: amahdal, hkario, ksrot, mhlavink, ovasik, psklenar, tlavigne, tmraz
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dovecot-2.0.9-15.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:57:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1064978    
Bug Blocks:    

Description Alicja Kario 2014-05-23 11:45:39 UTC 
Description of problem:
It's impossible to install dovecot in FIPS mode, yum hangs after the "Installing" step

Version-Release number of selected component (if applicable):
dovecot-2.0.9-7.el6.ppc64
openssl-1.0.1e-16.el6_5.8

How reproducible:
always

Steps to Reproduce:
1. put system in FIPS mode
2. install new openssl (penssl-1.0.1e-16.el6_5.8 or later)
3. yum install dovecot

Actual results:

Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Reinstall Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package dovecot.ppc64 1:2.0.9-7.el6 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================
 Package                    Arch                     Version                           Repository                              Size
====================================================================================================================================
Reinstalling:
 dovecot                    ppc64                    1:2.0.9-7.el6                     rhel-ppc64-server-6                    2.0 M

Transaction Summary
====================================================================================================================================
Reinstall     1 Package(s)

Total size: 2.0 M
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 1:dovecot-2.0.9-7.el6.ppc64


Expected results:
dovecot installed

Additional info:
Problem probably caused by the new FIPS certified OpenSSL package. New FIPS rules don't allow 1024 bit DH, RSA or DSA keys: bug 1064978.
Comment 1 Tomas Mraz 2014-05-23 11:51:32 UTC 
Note that FIPS allows for 2048 and 3072 bit keys only in the FIPS mode.
Comment 2 Michal Hlavinka 2014-05-23 14:20:24 UTC 
Interesting. This should be already fixed.

(In reply to Hubert Kario from comment #0)
> 1. put system in FIPS mode

Is there some easy way how to do that? I always have to do fresh installation in fips mode. If I just add fips=1 to grub, I can't log in.
Comment 4 Michal Hlavinka 2014-05-26 09:10:55 UTC 
I just tried to reproduce this and it works for me.
Installation seemed to hang, but it was generating keys and it just waited for random number generator to have enough entropy. It completed a few seconds later.

If you are able to reproduce this, could you leave the installation hanged and send me login password for that machine? Thanks


(In reply to Tomas Mraz from comment #1)
> Note that FIPS allows for 2048 and 3072 bit keys only in the FIPS mode.

FYI, this was fixed in dovecot-2.0.9-7.el6, see bug #1010279
Comment 5 Alicja Kario 2014-05-26 16:39:23 UTC 
Then the new openssl reintroduces this issue:

[root@pes-guest-103 ~]# rpm -qf /usr/libexec/dovecot/ssl-params
dovecot-2.0.9-7.el6.x86_64
[root@pes-guest-103 ~]# /usr/libexec/dovecot/ssl-params
Info: Generating SSL parameters
Error: DH_generate_parameters(bits=512, gen=2) failed: error:0506A06E:lib(5):func(106):reason(110)
Error: DH_generate_parameters(bits=1024, gen=2) failed: error:0506A003:lib(5):func(106):reason(3)
Fatal: Unable to generate any DH parameter
Error: child process failed with status 22784
Comment 9 Karel Srot 2015-01-15 14:39:32 UTC 
Not sure if it is exactly the problem described above but I am seeing failures in FIPS with dovecot-2.0.9-8.el6_6.4 due to /usr/libexec/dovecot/mkcert.sh trying to generate not allowed certificates.


Generating a 1024 bit RSA private key
Error Generating Key
17590154273520:error:2D07406D:FIPS routines:RSA_BUILTIN_KEYGEN:invalid key length:rsa_gen.c:190:
Comment 11 Alois Mahdal 2015-04-15 19:12:18 UTC 
Is this supposed to be hardware-specific?

I just tried to reproduce it on all RHEL6 archs[*] and everywhere dovecot installed just fine.


 [*] except for s390x where FIPS cannot be enabled, as reported by
     /distribution/fips/setup-fips-enabled
Comment 14 Michal Hlavinka 2015-04-16 13:48:49 UTC 
It's not hardware specific. Just beware of a change in the openssl:
* Fri Jun 06 2014 Tomáš Mráz <tmraz> 1.0.1e-26
...
- FIPS mode: make the limitations on DSA, DH, and RSA keygen
  length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment
  variable is set

so new openssl versions do not affect the ssl-params by default
Comment 21 errata-xmlrpc 2015-07-22 06:57:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1348.html