Bug 1741285

Summary: TLS 1.2 CCM ciphers are not recognised in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Hubert Kario <hkario>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: low Docs Contact:
Priority: low    
Version: 8.0CC: omoris
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-1.1.1c-6.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:51:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hubert Kario 2019-08-14 16:37:25 UTC 
Description of problem:
When system is running in FIPS mode it's not possible to use AES-CCM ciphers for connections in TLS 1.2

Version-Release number of selected component (if applicable):
openssl-1.1.1c-2.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. set the system up in FIPS mode
2. openssl s_server -key rsa-server/key.pem -cert rsa-server/cert.pem -cipher DHE-RSA-AES128-CCM


Actual results:
Error with command: "-cipher DHE-RSA-AES128-CCM"
139957070669632:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2549:

Expected results:
AES-CCM ciphers supported, working in FIPS mode

Additional info:
same error for AES256-CCM and with other key exchange modes (kRSA, ECDHE)

I'm not sure if rejecting the AES-CCM8 ciphers is correct – while we don't want them enabled by default, AFAIK, they are not FIPS non-compliant to the same degree Chacha20 or Camellia ciphers are...
Comment 7 errata-xmlrpc 2020-04-28 16:51:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1840
Comment 8 Fedora Update System 2020-05-29 00:56:54 UTC 
FEDORA-EPEL-2020-ff94ccbdec has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.