Bug 1990877

Summary: Activating legacy provider in openssl breaks new openssh connection
Product: Red Hat Enterprise Linux 9 Reporter: Dmitry Belyavskiy <dbelyavs>
Component: opensslAssignee: Sahana Prasad <sahana>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.0CC: asosedki, dbelyavs, hkario
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-06 15:40:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitry Belyavskiy 2021-08-06 13:53:25 UTC 
Description of problem:
Currently installed openssl.cnf contain the following section:

[default_sect] 
# activate = 1 

If there are no other provider sections, we load and activate the default provider according to documentation. 

If we add the legacy section and don't uncomment the activate=1 line, it makes impossible to login into the machine via ssh, because only legacy algorithms persisted enabled.

Version-Release number of selected component (if applicable):
3.0.0

How reproducible:
Always

Steps to Reproduce:
1. vim /etc/pki/tls/openssl.cnf
2. add 'legacy = legacy_sect' to [provider_sect] section
3. add a section 
[legacy_sect] 
activate = 1 
4. save the file
5. Try to ssh the machine

Actual results:
$ ssh hostname
kex_exchange_identification: read: Connection reset by peer
Connection reset by hostname port 22

Expected results:
Successful ssh to remote machine

Additional info:
Looks like we can't do anything to avoid this problem, but if we activate the default provider explicitly and add an explaining comment, it can help.
Comment 1 Alicja Kario 2021-08-06 15:40:04 UTC 
that's not correct way to enable legacy provider, so it breaking the system configuration is expected given the behaviour documented in upstream documentation

as such it's a duplicate of bug 1975836

*** This bug has been marked as a duplicate of bug 1975836 ***