Bug 2155607

Summary: PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode
Product: Red Hat Enterprise Linux 9 Reporter: Jeremy Absher <jabsher>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Michal Polovka <mpolovka>
Severity: unspecified Docs Contact: David Voženílek <dvozenil>
Priority: unspecified    
Version: 9.1CC: asosedki, cllang, csnapp, dvozenil, fhanzelk, frenaud, gfialova, jjelen, jrische, mjurasek
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.21.1-1.el9 Doc Type: Known Issue
Doc Text:
.A workaround to preserve RHEL-Windows interoperability in RHEL 9 is now available In RHEL 9, the FIPS-140-3 standard does not allow SHA-1 signatures. Consequently, PKINIT authentication does not work between Microsoft Windows and RHEL hosts in FIPS mode because Windows only complies with the FIPS-140-2 standard, which allows SHA-1 signatures. To work around the problem, this update introduces a FIPS exception for PKINIT signature verification, allowing SHA-1 checksum and signature verification (not generation) for PKINIT authentication. Note that with this exception applied, the `SHA1` cryptographic module still remains disabled by default in FIPS mode. For more information, see the link:https://access.redhat.com/solutions/7003853[AD Domain Users unable to login in to the FIPS-compliant environment] KCS solution.
 Story Points: ---
Clone Of:
: 2209717 2214300 (view as bug list) Environment:
Last Closed: 2023-11-07 08:56:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2209717, 2214300    

Comment 47 errata-xmlrpc 2023-11-07 08:56:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: krb5 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6699