| Summary: | Can not restart stunnel service due to bad openSSL rpm | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Michael <michael_furman> |
| Component: | openssl | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.7 | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-06 11:44:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Michael
2016-04-06 11:25:54 UTC
No, the openssl rpm is OK. However stunnel tries to run openssl in FIPS mode even if the machine is not running in FIPS mode. The prelink modifies the openssl libraries when prelinking which should not happen when the machine is properly set up for the FIPS mode. Anyway, the stunnel will no longer be running in the FIPS mode by default in the erratum that is being prepared for RHEL-6.8 so you should not experience this problem after you update to that erratum once it is released. You can workaround it for now either by disabling prelink or by setting fips=no in the stunnel configuration. Thanks for the fastest response! Can you explain why the problem disappear when we reinstall openSSL? Additional questions: 1) was FIPS mode was changed with new builds of OpenSSL RPM? 2) How is possible to obtain stunnel RPMs thtan not use FIPS mode? 0) Because when you reinstall openssl the library files modified by prelink are replaced with the unmodified from the rpm package. 1) No, it was incorrectly changed with previous stunnel erratum. 2) Please use the regular Red Hat support channels to make this request, I cannot help you with that here. Or simply wait for the erratum to be released. Tomas, Thank you for the fast and informative help! I will really appreciative if you will help with this: How we can reproduce the problem again? I mean we performed "yum reinstall openssl" and the problem disappear. Can we run some command to change openssl back? We want to see stunnel exceptions upon the restart of stunnel service once again. We need it since we have fixed the bug in the configuration in the new version and want to see that the stunel problem is reproduced in the old version. please please help You can manually change .libcrypto.so.10.hmac file that is part of the openssl package on the file system to test. Just modify the hexadecimal checksum it contains - a single byte modification should be sufficient. Tomas, I have changed /usr/lib/.libssl.so.1.0.1e.hmac (one character). Unfortunately I success to restart stunnel: service stunnel restart Stopping stunnel: [ OK ] Starting stunnel: [ OK ] Should I do anything else? We raaly want to reproduce the restart of stunnel with exception 2016.04.05 11:29:59 LOG3[14425:139853811828672]: FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match You need to modify /usr/lib64/.libssl.so.1.0.1e.hmac which is in the x86_64 package and not the one of the i686 package. Thank you very much! The change of file in /usr/lib64 reproduce the problem. |