Bug 2077884
| Summary: | Small RSA keys work for some operations in FIPS mode | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Alicja Kario <hkario> | ||||
| Component: | openssl | Assignee: | Dmitry Belyavskiy <dbelyavs> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Alexander Sosedkin <asosedki> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 9.0 | CC: | asosedki, cllang, dbelyavs, omoris, pemensik, ssorce | ||||
| Target Milestone: | rc | Keywords: | Triaged, ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openssl-3.0.1-33.el9_0 | Doc Type: | No Doc Update | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 2091938 (view as bug list) | Environment: | |||||
| Last Closed: | 2023-06-05 16:08:34 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 2077906, 2077909, 2091938 | ||||||
| Attachments: |
|
||||||
It is quite sad, because those key lengths are used a lot in ZSK keys in DNSSEC. Quite a lot of them, including in-addr.arpa for all IPv4 reverse resolutions. All those might break once OpenSSL starts refusing it. In order to provide a more proper justification for this action plan, we should comment a response to my question on dnsop mailing list [1]. It provides a good justification validation only can still be allowed. Including reference. It should be clear in which version this is going to be fixed. It does not seems to be acceptable to fix this bug in 9.0, because it is not a small change. Severity to any DNSSEC validators is very high. It seems to me FIPS certification should allow current state. Any change request should be properly justified, if there is not a way to opt-out. It seems to me keeping a way for DNSSEC validator to verify shorter keys is very reasonable. Implementing an alternative way in DNS software, which would allow verification of just >=2048 keys is non-trivial. Forcing disabling all validation seems quite against the FIPS purpose. Providing a custom and downstream only change, which would allow legacy verification in DNSSEC validation software, seems far better option to me. This seems to me more like a feature change, not a bug. Can you change it to FutureFeature? 1. https://mailarchive.ietf.org/arch/msg/dnsop/ySIyg2w9JDILh0DCo2tZVByyCPE/ There is learn.uno. name, which uses 1032 bit ZSK key for .uno. It should not validate under FIPS, but it still does. This seems to be the only TLD affected. RHEL 9.1 contains openssl-3.0.1-43.el9_0. |
Created attachment 1874396 [details] certificates with 1024 bit RSA keys and sha-256 signatures Description of problem: While RHEL-9 disallows keygen of 1024bit RSA keys in FIPS mode, it doesn't disallow verification of signatures made with 1024 bit RSA keys. Version-Release number of selected component (if applicable): openssl-3.0.1-21.el9.x86_64 How reproducible: always Steps to Reproduce: 1. tar xzf certs.tar.gz 2. openssl verify -CAfile ca/cert.pem server/cert.pem Actual results: server/cert.pem: OK Expected results: error because of too small key size Additional info: All operations with <2048 bit RSA keys should be disabled in FIPS mode. Note that the certificates in certs.tar.gz are just examples, the important part are the key sizes, not any other values in them.