Bug 1842805

Summary: rpmlint reports crypto-policy-non-compliance-openssl
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: galeraAssignee: Michal Schorm <mschorm>
Status: CLOSED NOTABUG QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: databases-maint, hhorak
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-16 10:43:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1842847, 1856812    

Description Ondrej Moriš 2020-06-02 07:19:11 UTC 
Description of problem:

Crypto-policy non-compliance is reported by rpmlint.

Since RHEL-8.0 we have system-wide crypto policies - usage of cryptographic protocols such as TLS that are enforced system-wide. In general we want all applications in RHEL to be compliant with the crypto policy set on the system (see policy [1] inherited from Fedora).

Rpmlint detected that galera uses SSL_CTX_set_cipher_list from OpenSSL library without  PROFILE=SYSTEM. This indicates that a custom setting is used rather than system-wide crypto-policies setting. It is not a problem as long as it is intentional (e.g. specific algorithm is requested by user or configuration). However, unintentional usage might be a potential bug.

Could you please inspect relevant parts of the code, check that this is not rpmlint false positive and verify that custom setting is used intentionally?

 * If yes, feel free to close this BZ as NOT-A-BUG.
 * If not, could you please consider using system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting?

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies

Version-Release number of selected component (if applicable):

galera-25.3.26-1.module+el8.1.0+3974+90eded84

How reproducible:

100%

Steps to Reproduce:

1. rpmlint galera-25.3.26-1.module+el8.1.0+3974+90eded84.x86_64.rpm


Expected results:

No crypto-policy-non-compliance warning.

Actual results:

galera.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/galera/libgalera_smm.so SSL_CTX_set_cipher_list 
galera.x86_64: W: crypto-policy-non-compliance-openssl /usr/sbin/garbd SSL_CTX_set_cipher_list
Comment 1 Honza Horak 2020-06-02 20:31:37 UTC 
I didn't check whether it is the same case, but we had something similar before and considered it ok:
https://bugzilla.redhat.com/show_bug.cgi?id=1348123#c4
Comment 2 Michal Schorm 2020-07-16 10:08:30 UTC 
It is used intentionally.
As far as I understand, it is used to enable OpenSSL ECDH functionality AND to apply user configuration.

I'd like someone else to double check after me, though.

Affected file: "galerautils/src/gu_asio.cpp"