Bug 1710825

Summary: dovecot hangs on start in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: dovecotAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: richard
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-10 17:22:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2019-05-16 12:00:54 UTC 
Description of problem:

When the system is in FIPS mode dovecot is not starting, it just hangs when service is started.

Version-Release number of selected component (if applicable):


How reproducible:

100% in FIPS mode

dovecot-2.2.36-5.el8

Steps to Reproduce:

1. fips-mode-setup --enable && reboot
2. service dovecot start

Actual results:

Dovecot service start hangs up.

Expected results:

Dovecot service starts.

Additional info:

There is no output in journal. It seems like dovecot is being blocked by waiting on entropy of something like that. Perhaps it is using /dev/random instead of getranom()?
Comment 1 Richard Speelmans 2019-10-23 14:40:17 UTC 
I had this same problem, but for me the problem was that Dovecot tries to generate a Diffie-Hellman with a key size smaller then what is allowed by the FIPS mode.


1. ls /var/lib/dovecot/ssl-parameters.dat
   ls: cannot access '/var/lib/dovecot/ssl-parameters.dat': No such file or directory

2. systemctl start dovecot

3. ps -efw | grep '[d]ovecot'
   root     18996 18097  0 16:19 pts/1    00:00:00 systemctl start dovecot
   root     18998     1  0 16:19 ?        00:00:00 /bin/sh -c  if [ ! -f /etc/pki/dovecot/certs/dovecot.pem ];  then   SSLDIR=/etc/pki/dovecot/ OPENSSLCONFIG=/etc/pki/dovecot/dovecot-openssl.cnf /usr/libexec/dovecot/mkcert.sh /dev/null 2>&1; fi; if [ ! -f /var/lib/dovecot/ssl-parameters.dat ];  then   /usr/libexec/dovecot/ssl-params >/dev/null 2>&1;  fi
   root     18999 18998  0 16:19 ?        00:00:00 /usr/libexec/dovecot/ssl-params

4. /usr/libexec/dovecot/ssl-params
   Info: Generating SSL parameters
   Fatal: ssl_iostream_generate_params(1024) failed: DH_generate_parameters(bits=512, gen=2) failed: error:0506A0C9:Diffie-Hellman routines:dh_builtin_genparams:key size too small, error:0506A003:Diffie-Hellman routines:dh_builtin_genparams:BN lib
   Error: child process failed with status 22784
   <<< hangs >>>

With strace I see the following:
[ SNIP ]
[pid 27107] openat(AT_FDCWD, "/proc/sys/crypto/fips_enabled", O_RDONLY) = 9
[pid 27107] read(9, "1\n", 2)           = 2
[pid 27107] close(9)                    = 0
[pid 27107] futex(0x7ff7e59eb0dc, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid 27107] futex(0x7ff7e59eb0d0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid 27107] brk(NULL)                   = 0x563561fbf000
[pid 27107] brk(0x563561fe0000)         = 0x563561fe0000
[pid 27107] futex(0x7ff7e59eb744, FUTEX_WAKE_PRIVATE, 2147483647) = 0
[pid 27107] write(2, "Fatal: ssl_iostream_generate_par"..., 245Fatal: ssl_iostream_generate_params(1024) failed: DH_generate_parameters(bits=512, gen=2) failed: error:0506A0C9:Diffie-Hellman routines:dh_builtin_genparams:key size too small, error:0506A003:Diffie-Hellman routines:dh_builtin_genparams:BN lib
) = 245
[pid 27107] fstat(8, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
[pid 27107] close(8)                    = 0
[pid 27107] exit_group(89)              = ?
[pid 27107] +++ exited with 89 +++
<... epoll_wait resumed> 0x563561fabd40, 1, -1) = -1 EINTR (Interrupted system call)
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=27107, si_uid=0, si_status=89, si_utime=1, si_stime=0} ---
write(5, "\0", 1)                       = 1
rt_sigreturn({mask=[]})                 = -1 EINTR (Interrupted system call)
epoll_wait(6, [{EPOLLIN, {u32=1643825056, u64=94787277080480}}], 1, -1) = 1
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
read(4, "\0", 64)                       = 1
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 89}], WNOHANG, NULL) = 27107
write(2, "Error: child process failed with"..., 46Error: child process failed with status 22784
) = 46
epoll_wait(6, 

Additional info:
# rpm -q openssl dovecot
openssl-1.1.1-8.el8.x86_64
dovecot-2.2.36-5.el8_0.1.x86_64

# cat /etc/redhat-release 
CentOS Linux release 8.0.1905 (Core)
Comment 3 Michal Hlavinka 2020-12-10 17:22:42 UTC 
This should be already fixed. Configuration creates keys with sufficient size. They won't be overwritten on update, so users have to delete the old ones if they want them to be regenerated.