Repost the bug in the comment and hide some private information.
Description of problem:
Find a workaround and document the error "SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled"
Version-Release number of selected component (if applicable):
virt-v2v-2.3.4-3.el9.x86_64
openssl-3.0.7-13.el9_2.x86_64
How reproducible:
100%
Steps to Reproduce:
I copied the steps from Richard:
(1) Enable FIPS mode:
https://access.redhat.com/solutions/137833
# fips-mode-setup --check
FIPS mode is enabled.
(2) Upgrade openssl to at least openssl-3.0.7-13.el9_2.x86_64.
I downloaded the RPMs from brew:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2469741
(3) Run virsh to query a guest on a remote VMware server:
$ virsh -c 'vpx://<user>@x.x.x.x/Datacenter/host/auto-test/MTV/x.x.x.x.redhat.com?no_verify=1' \
dumpxml mtv-rhel8-sanity
Enter mtv's password for x.x.x.x:
error: failed to connect to the hypervisor
error: internal error: curl_easy_perform() returned an error: SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled
Actual results:
error: internal error: curl_easy_perform() returned an error: SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled
Expected results:
It's better to document the workaround to this error.
Additional info:
Comment 2Richard W.M. Jones
2023-06-30 09:16:05 UTC
It's not possible to disable this change yet, but there is a bug to track it:
https://bugzilla.redhat.com/show_bug.cgi?id=2216256
"openssl should support disabling the requirement for the extended master secret in FIPS mode"
1. The workaround is to upgrade the other side of the connection to support TLS 1.3 or TLS 1.2 with EMS (standards that are 5 and 8 years old at this time)
2. While we might implement a way to relax this specific requirement in FIPS mode, *this will make the resulting connection FIPS non-compliant.*
Comment 4Klaus Heinrich Kiwi
2023-06-30 15:18:34 UTC
Looks like the request here is to better document the issue or error message to clarify what is causing it, potential workarounds etc. I actually agree with this bz addressing the Documentation only, while BZ#2216256 addresses the workaround (and accompanying Doc update).
Rich, assigning to you, should we set the DocNeeded here and other fields to make this doc only?
Repost the bug in the comment and hide some private information. Description of problem: Find a workaround and document the error "SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled" Version-Release number of selected component (if applicable): virt-v2v-2.3.4-3.el9.x86_64 openssl-3.0.7-13.el9_2.x86_64 How reproducible: 100% Steps to Reproduce: I copied the steps from Richard: (1) Enable FIPS mode: https://access.redhat.com/solutions/137833 # fips-mode-setup --check FIPS mode is enabled. (2) Upgrade openssl to at least openssl-3.0.7-13.el9_2.x86_64. I downloaded the RPMs from brew: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2469741 (3) Run virsh to query a guest on a remote VMware server: $ virsh -c 'vpx://<user>@x.x.x.x/Datacenter/host/auto-test/MTV/x.x.x.x.redhat.com?no_verify=1' \ dumpxml mtv-rhel8-sanity Enter mtv's password for x.x.x.x: error: failed to connect to the hypervisor error: internal error: curl_easy_perform() returned an error: SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled Actual results: error: internal error: curl_easy_perform() returned an error: SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled Expected results: It's better to document the workaround to this error. Additional info: