Bug 2209766

Summary: FIPS enabled openssl clients fail in SSL hanshake against httpd with mod_ssl in RHEL7 server
Product: Red Hat Enterprise Linux 7 Reporter: Alfredo Moralejo <amoralej>
Component: opensslAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.9CC: cllang, dbelyavs, jdanek, jorton, luhliari
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-25 12:14:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alfredo Moralejo 2023-05-24 17:25:28 UTC 
Description of problem:


After https://bugzilla.redhat.com/show_bug.cgi?id=2157951 any C9S (or future RHEL9) system with fips enabled fails when access an httpd server with SSL enabled. In my case that means curl or dnf, i.e.:

# curl -L -o /etc/yum.repos.d/delorean-deps.repo https://trunk.rdoproject.org/centos9-antelope/delorean-deps.repo
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:1C8000E9:Provider routines::ems not enabled


or:

Errors during downloading metadata for repository 'delorean-antelope-testing':
  - Curl error (35): SSL connect error for https://trunk.rdoproject.org/centos9-antelope/deps/latest/repodata/repomd.xml [error:1C8000E9:Provider routines::ems not enabled]
Error: Failed to download metadata for repo 'delorean-antelope-testing': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried


My guess is that httpd/mod_ssl/openssl in RHEL/CentOS7 do not support EMS or at least not by default, my versions are:

httpd-2.4.6-98.el7.centos.7.x86_64
mod_ssl-2.4.6-98.el7.centos.7.x86_64
openssl-1.0.2k-26.el7_9.x86_64

Is there any way to enable it or to workaround it somehow from the server side?

Best regards,

Alfredo
Comment 6 Clemens Lang 2023-06-30 11:26:33 UTC 
See also https://access.redhat.com/solutions/7018256. FIPS 140-3 Implementation Guidance requires that TLS 1.2 can only be used with the Extended Master Secret extension in modules validated after May 16, 2023 (see "D.Q Transition of the TLS 1.2 KDF to Support the Extended Master Secret").

The best course of action is to upgrade the remote machines to support TLS 1.3 or the extended master secret extension in TLS 1.2.
Comment 7 Dmitry Belyavskiy 2023-08-25 12:14:33 UTC 

*** This bug has been marked as a duplicate of bug 2222593 ***