Bug 2032923

Summary: rpmlint reports crypto-policy-non-compliance-openssl
Product: Red Hat Enterprise Linux 9 Reporter: Dalibor Pospíšil <dapospis>
Component: librdkafkaAssignee: Sergio Arroutbi <sarroutb>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 9.0CC: alakatos, dapospis, omoris, rsroka, sarroutb
Target Milestone: rcKeywords: AutoVerified, Patch, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: librdkafka-1.6.1-100.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1842817 Environment:
Last Closed: 2022-05-17 13:56:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1842817    
Bug Blocks: 1842847    

Description Dalibor Pospíšil 2021-12-15 13:33:31 UTC 
+++ This bug was initially created as a clone of Bug #1842817 +++

Description of problem:

Crypto-policy non-compliance is reported by rpmlint.

Since RHEL-8.0 we have system-wide crypto policies - usage of cryptographic protocols such as TLS that are enforced system-wide. In general we want all applications in RHEL to be compliant with the crypto policy set on the system (see policy [1] inherited from Fedora).

Rpmlint detected that librdkafka uses SSL_CTX_set_cipher_list from OpenSSL library without  PROFILE=SYSTEM. This indicates that a custom setting is used rather than system-wide crypto-policies setting. It is not a problem as long as it is intentional (e.g. specific algorithm is requested by user or configuration). However, unintentional usage might be a potential bug.

Could you please inspect relevant parts of the code, check that this is not rpmlint false positive and verify that custom setting is used intentionally?

 * If yes, feel free to close this BZ as NOT-A-BUG.
 * If not, could you please consider using system-wide crypto policy setting (PROFILE=SYSTEM) instead of custom setting?

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/CryptoPolicies

Version-Release number of selected component (if applicable):

librdkafka-1.6.1-4.el9

How reproducible:

100%

Steps to Reproduce:

1. rpmlint librdkafka-0.11.4-1.el8.x86_64.rpm


Expected results:

No crypto-policy-non-compliance warning.

Actual results:

librdkafka.x86_64: W: crypto-policy-non-compliance-openssl /usr/lib64/librdkafka.so.1 SSL_CTX_set_cipher_list
Comment 5 Sergio Arroutbi 2022-02-07 09:51:00 UTC 
OLD librdkafka-1.6.1-4.el9.x86_64
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Ensure system crypto policies are used by default
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 04:36:25 ] :: [   PASS   ] :: Check for common rpm problems (Expected 0-64, got 0)
:: [ 04:36:25 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.lFK9vayG' should not contain 'crypto-policy-non-compliance-gnutls'
:: [ 04:36:25 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.lFK9vayG' should not contain 'crypto-policy-non-compliance-openssl'
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 2 good, 1 bad
::   RESULT: FAIL (Ensure system crypto policies are used by default)


NEW librdkafka-1.6.1-100.el9.x86_64
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Ensure system crypto policies are used by default
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 04:41:09 ] :: [   PASS   ] :: Check for common rpm problems (Expected 0-64, got 0)
:: [ 04:41:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mIWphswd' should not contain 'crypto-policy-non-compliance-gnutls'
:: [ 04:41:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mIWphswd' should not contain 'crypto-policy-non-compliance-openssl'
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 3 good, 0 bad
::   RESULT: PASS (Ensure system crypto policies are used by default)
Comment 13 errata-xmlrpc 2022-05-17 13:56:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: librdkafka), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2620