Bug 2179891

Summary: Unable to run fipsinstall
Product: [Fedora] Fedora Reporter: Jan Grulich <jgrulich>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: cllang, crypto-team, dbelyavs, mspacek, mturk, sahana, tm
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-20 11:08:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Grulich 2023-03-20 10:53:50 UTC
Description of problem:
I'm unable to run fipsinstall to install the FIPS module. 

Getting:
This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode.

This looks wrong as I don't use RHEL build, this is on Fedora (Kinoite) 38 running Fedora 38 in a container. I was happily using this on Fedora 37 before (with F37 container).

Version-Release number of selected component (if applicable):
openssl-3.0.8-1.fc38.x86_64

How reproducible:
Run fipinstall, for example:
sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/lib64/ossl-modules/fips.so

Comment 1 Jan Grulich 2023-03-20 11:04:06 UTC
It looks this patch https://src.fedoraproject.org/rpms/openssl/blob/f38/f/0034.fipsinstall_disable.patch has been applied in F38 and Rawhide, while it doesn't exist in Fedora 37. I guess it was brought from RHEL (during sync) and it's just missing a condition to avoid using it on Fedora?

Comment 2 Clemens Lang 2023-03-20 11:08:19 UTC
This is expected, we're shipping the same patches RHEL uses in Fedora. Please switch the entire Fedora system into FIPS mode using `fips-mode-setup --enable`.

Note that we do not FIPS-certify Fedora, and it also currently lags behind some of the FIPS compliance patches applied to RHEL (although we will eventually be pushing all FIPS patches into Fedora as well).

We do not plan to conditionally apply the FIPS patches to RHEL only.