Bug 2181259
| Summary: | Fedora 37 - /etc/crypto-policies/back-ends/opensslcnf.config unconditionally defines evp_properties section | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | IBM Bug Proxy <bugproxy> | |
| Component: | openssl | Assignee: | Dmitry Belyavskiy <dbelyavs> | |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 37 | CC: | asosedki, bugproxy, cllang, crypto-team, dbelyavs, dhorak, luk.claes, mspacek, mturk, rrelyea, sahana, shebburn, tm, tstaudt | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | s390x | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2223929 (view as bug list) | Environment: | ||
| Last Closed: | Type: | Bug | ||
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2223929 | |||
|
Description
IBM Bug Proxy
2023-03-23 13:30:50 UTC
== Comment: #0 - Ingo Franzki <ifranzki.com> - 2023-03-23 08:07:57 == I noticed on Fedora 37 that the default OpenSSL config file /etc/pki/tls/openssl.cnf includes another config file /etc/crypto-policies/back-ends/opensslcnf.config which defines a evp_properties section and sets the alg_section setting to point to that evp_properties section. [openssl_init] alg_section = evp_properties [evp_properties] rh-allow-sha1-signatures = yes This causes a problem when a user edits /etc/pki/tls/openssl.cnf and adds its own evp_properties section under a different name (e.g. [evp_properties_section]) and adds "alg_section = evp_properties_section" in the openssl_init section. The settings in /etc/crypto-policies/back-ends/opensslcnf.config cause that the user defined evp_properties section is ignored, probably because the "alg_section = evp_properties" from the included file wins because it is processed after the user defined setting. This happens only if the user defined section is not named "evp_properties", but something else. Nevertheless, OpenSSL allows to choose the section name freely, 'evp_properties' is not a fixed name. This behavior is very confusing and should be avoided, or must be carefully documented. This problem will mist likely also land in a RHEL 9.x release soon, and affects the config file generator that comes as part of the IBMCA provider. This problem already exists on RHEL 9, except that RHEL 9 defaults to disabling SHA-1 signatures, so applying the DEFAULT:SHA1 crypto-policy (or any other crypto-policy that allows SHA1 signatures) by running $> update-crypto-policies --set DEFAULT:SHA1 will add rh-allow-sha1-signatures = yes in an evp_properties section. However, the openssl configuration file allows choosing all section names freely. The only fixed name in the configuration file is openssl_conf, it just happens to be commonly named openssl_init, but scripts should not rely on that. The issue you describe is thus not new, but has always existed. Special care must thus be taken already when editing the openssl configuration file. What would you recommend we do here? Add a notice to the documentation that emphasizes that section names can be arbitrarily chosen, and that crypto-policies assumes `openssl_conf = openssl_init` and `alg_section = evp_properties`? ------- Comment From ifranzki.com 2023-03-23 10:41 EDT-------
> What would you recommend we do here? Add a notice to the documentation that emphasizes that section names can be arbitrarily chosen, and that crypto-policies assumes `openssl_conf = openssl_init` and `alg_section = evp_properties`?
Yes something like that, as best add a note to /etc/pki/tls/openssl.cnf within the
[openssl_init] section, because that's where a user would add its own "alg_section = something".
Or even better, add your "alg_section = evp_properties" together with the [evp_properties] section (and its settings) right to /etc/pki/tls/openssl.cnf instead of to the included file. That way a user (or a tool programmatically updating the config file) can not oversee it. You can still keep the other policy stuff in the included file, that does not hurt.
The config file generator that comes as part of the IBMCA provider is smart enough to detect the name of the evp_properties section if it finds the "alg_section = something" setting in the openssl_init section (or whatever section name is specified in "openssl_conf = something"). So it can deal with freely chosen section names. However, it does not find it if is in an included file.
------- Comment From ifranzki.com 2023-03-24 04:55 EDT------- How about that: Add "alg_section = evp_properties" to the openssl_init section in /etc/pki/tls/openssl.cnf, together with an empty [evp_properties] section (you may add some comments that users should add their settings there). With that you could leave your include file as is, and users won't create their own evp_properties section with a potentially different name. Also the config file generator of the IBMCA provider would be finding the sections and add the correct statement to the correct places. This would be much less error prone, and still allows you to use you include file as before. (In reply to IBM Bug Proxy from comment #4) > ------- Comment From ifranzki.com 2023-03-24 04:55 EDT------- > How about that: > Add "alg_section = evp_properties" to the openssl_init section in > /etc/pki/tls/openssl.cnf, together with an empty [evp_properties] section > (you may add some comments that users should add their settings there). > > With that you could leave your include file as is, and users won't create > their own evp_properties section with a potentially different name. > > Also the config file generator of the IBMCA provider would be finding the > sections and add the correct statement to the correct places. > > This would be much less error prone, and still allows you to use you include > file as before. That sounds like a reasonable idea. Unfortunately we still need to manage the rh-allow-sha1-signatures setting in the crypto-policies include file, because if we kept that in the main openssl.cnf file, changing the crypto policy would have to edit that main openssl.cnf file, which (as you've noticed) is not trivial. I'll mark this as triaged now, since I guess it's reasonable for us to apply a patch to include alg_section = evp_properties in the main openssl.cnf. ------- Comment From ifranzki.com 2023-03-24 10:01 EDT-------
> it's reasonable for us to apply a patch to include alg_section = evp_properties in the main openssl.cnf.
Great. But please also add an empty [evp_properties] section as well.
------- Comment From ifranzki.com 2023-07-12 08:26 EDT------- Any news about this BZ ? Would be good to have this included in RHEL 9.3.... ------- Comment From tstaudt.com 2023-07-19 06:15 EDT------- (In reply to comment #11) > Any news about this BZ ? > Would be good to have this included in RHEL 9.3.... Red Hat has opened a bug for RHEL 9.3 which I'm going to mirror shortly ... ------- Comment From tstaudt.com 2023-07-19 06:37 EDT------- Mirrored as IBM Bug 203212 - RH2223929- RHEL 9.3 - /etc/crypto-policies/back-ends/opensslcnf.config unconditionally defines evp_properties section |