Bug 2155607
Summary: | PKINIT: CMS SHA-1 signature verification cannot be allowed in FIPS mode | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Jeremy Absher <jabsher> | |
Component: | krb5 | Assignee: | Julien Rische <jrische> | |
Status: | CLOSED ERRATA | QA Contact: | Michal Polovka <mpolovka> | |
Severity: | unspecified | Docs Contact: | David Voženílek <dvozenil> | |
Priority: | unspecified | |||
Version: | 9.1 | CC: | asosedki, cllang, csnapp, dvozenil, frenaud, gfialova, jjelen, jrische, mjurasek | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | krb5-1.21.1-1.el9 | Doc Type: | Bug Fix | |
Doc Text: |
.SHA-1 signature verification can now be allowed in FIPS mode
Previously, it was not possible to allow the use of SHA-1 signature verification when Identity Management (IdM) was in FIPS mode. This is because IdM uses the FIPS-140-3 standard, which does not allow SHA-1 signatures. This situation caused problems with Active Directory (AD) interoperability, because AD only complies with the older FIPS-140-2 standard and therefore requires SHA-1 signatures.
This update introduces a FIPS exception for PKINIT signature verification. When FIPS mode is enabled in IdM, its restrictions are ignored. Only default mode restrictions are applied, allowing the use of the `SHA1` crypto module even when in FIPS mode. As a result, AD interoperability in FIPS mode works as intended.
In the scenario of an IdM/AD trust, or using a RHEL 9.2 or later host as an AD client, you need to set the crypto policy to FIPS:AD-SUPPORT:SHA1 to support PKINIT while in FIPS mode.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2209717 2214300 (view as bug list) | Environment: | ||
Last Closed: | 2023-11-07 08:56:13 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2209717, 2214300 |
Comment 47
errata-xmlrpc
2023-11-07 08:56:13 UTC
|