Bug 2026445

Summary: Finalize OpenSSL FIPS module
Product: Red Hat Enterprise Linux 9 Reporter: Dmitry Belyavskiy <dbelyavs>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: high Docs Contact:
Priority: medium    
Version: 9.0CC: dbelyavs, fdvorak, hkario, jpazdziora, ssorce
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:36:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1998991    

Description Dmitry Belyavskiy 2021-11-24 16:51:17 UTC 
OpenSSL FIPS module was implemented via bz1985362. This is a follow-up bug.

We need to change
- the set of algorithms we certify
- the module version
- the behavior of some commands in FIPS mode
Comment 1 Alicja Kario 2021-12-20 14:33:04 UTC 
The provider name also needs to change.
Comment 2 Alicja Kario 2021-12-20 16:12:22 UTC 
Also, the /etc/pki/tls/fipsmodule.cnf file should be removed from the rpm, as it's not used.
Comment 3 Alicja Kario 2021-12-21 14:13:42 UTC 
> - the set of algorithms we certify

to be more precise, we most likely will need to remove SHA-1 hash and EdDSA from the the fips provider
Comment 4 Dmitry Belyavskiy 2021-12-21 14:21:38 UTC 
I also suspect DSA
Comment 10 Alicja Kario 2022-01-19 14:36:09 UTC 
Looks like cert signing with subjectKeyIdentifier is broken in fips mode: bug 2042448
Comment 11 Jan Pazdziora (Red Hat) 2022-01-21 10:50:16 UTC 
The openssl-3.0.0-7.el9 which has

* Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs> - 1:3.0.0-7
- Remove algorithms we don't plan to certify from fips module
- Remove native fipsmodule.cnf
- Related: rhbz#2026445

in %changelog seems to have caused dnf segfaults, when gpgcheck=0 is used: bug 2043476.
Comment 15 errata-xmlrpc 2022-05-17 15:36:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: openssl), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3900