Bug 2085088

Summary: Incomplete filtering of ciphersuites in FIPS mode
Product: Red Hat Enterprise Linux 9 Reporter: Alicja Kario <hkario>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED CURRENTRELEASE QA Contact: Alicja Kario <hkario>
Severity: low Docs Contact:
Priority: low    
Version: 9.0CC: cllang, dbelyavs, ssorce
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssl-3.0.1-43.el9_0 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 2091994 (view as bug list) Environment:
Last Closed: 2023-06-05 16:10:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2091994    

Description Alicja Kario 2022-05-12 19:02:39 UTC 
Description of problem:
When OpenSSL is working in FIPS mode, the cipher selection process (which ciphers can actually be used) is incomplete. When openssl is configured with ciphersuites like DHE-RSA-ARIA128-GCM-SHA256 it correctly aborts with a "no cipher match" error, as there are no ciphers usable for TLS 1.2.
If instead it's started with kRSA as the cipherstring, it will not abort, and it will actually attempt a connection, but the operation will fail on client side, with it sending an internal_error alert instead of ClientKeyExchange.

Version-Release number of selected component (if applicable):
openssl-3.0.1-27.el9_0.

How reproducible:
always

Steps to Reproduce:
1. openssl req -x509 -newkey rsa -keyout localhost.key -out localhost.crt -subj /CN=localhost -nodes -batch
2. openssl s_server -key localhost.key -cert localhost.crt -cipher kRSA -www &> server.log &
3. openssl s_client -tls1_2 -cipher kRSA

Actual results:
client:
C0B11677537F0000:error:1C8000A5:Provider routines:rsa_encrypt:illegal or unsupported padding mode:providers/implementations/asymciphers/rsa_enc.c:157:
C0B11677537F0000:error:0A080006:SSL routines:tls_construct_cke_rsa:EVP lib:ssl/statem/statem_clnt.c:2863:

server:
C081DE4ED37F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80

Expected results:
the server should not start with the -cipher kRSA option, it should abort with a  
C0F1676C707F0000:error:0A0000B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2731:

Additional info:
CCM8 ciphersuites aren't rejected at all
Comment 1 Dmitry Belyavskiy 2022-05-18 13:59:43 UTC 
kRSA shouldn't be chosen by server in FIPS mode.
Comment 9 Clemens Lang 2023-06-05 16:10:05 UTC 
RHEL 9.1 contains openssl-3.0.1-43.el9_0.