Bug 1842837

Summary: rpmlint reports crypto-policy-non-compliance-openssl
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: unboundAssignee: aegorenk
Status: CLOSED ERRATA QA Contact: Ondrej Mejzlik <omejzlik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: aegorenk, omejzlik, psklenar
Target Milestone: rcKeywords: EasyFix, Patch, TestCaseNotNeeded, Triaged
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:50:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1842847, 1894575    

Description Ondrej Moriš 2020-06-02 07:47:19 UTC 
Description of problem:

Crypto-policy non-compliance is reported by rpmlint.

Since RHEL-8.0 we have system-wide crypto policies - usage of cryptographic protocols such as TLS that are enforced system-wide. In general we want all applications in RHEL to be compliant with the crypto policy set on the system (see policy [1] inherited from Fedora).

Rpmlint detected that unbound uses SSL_CTX_set_cipher_list from OpenSSL library without  PROFILE=SYSTEM. This indicates that a custom setting is used rather than system-wide crypto-policies setting. It is not a problem as long as it is intentional (e.g. specific algorithm is requested by user or configuration). However, unintentional usage might be a potential bug.

Could you please inspect relevant parts of the code, check that this is not rpmlint false positive and verify that custom setting is used intentionally?

 * If yes, feel free to close this BZ as NOT-A-BUG.
 * If not, could you please consider using system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting?

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies

Version-Release number of selected component (if applicable):

unbound-1.7.3-12.el8

How reproducible:

100%

Steps to Reproduce:

1. rpmlint unbound-1.7.3-12.el8.x86_64.rpm


Expected results:

No crypto-policy-non-compliance warning.

Actual results:

unbound.x86_64: W: crypto-policy-non-compliance-openssl /usr/sbin/unbound SSL_CTX_set_cipher_list 
unbound.x86_64: W: crypto-policy-non-compliance-openssl /usr/sbin/unbound-checkconf SSL_CTX_set_cipher_list 
unbound.x86_64: W: crypto-policy-non-compliance-openssl /usr/sbin/unbound-control SSL_CTX_set_cipher_list 
unbound.x86_64: W: crypto-policy-non-compliance-openssl /usr/sbin/unbound-streamtcp SSL_CTX_set_cipher_list
Comment 10 errata-xmlrpc 2021-05-18 15:50:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: unbound security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1853