.Installing a RHEL 7 IdM client with a RHEL 9.2+ IdM server in FIPS mode fails due to EMS enforcement
The TLS `Extended Master Secret` (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in accordance with FIPS-140-3 requirements. However, the `openssl` version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later fails.
If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy:
----
# update-crypto-policies --set FIPS:NO-ENFORCE-EMS
----
Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client succeeds.
DescriptionFlorence Blanc-Renaud
2023-07-06 13:45:16 UTC
Description of problem:
Installation of a RHEL 7.9 client fails in FIPS mode with a RHEL 9.2 server.
Version-Release number of selected component (if applicable):
Client:
# rpm -qa ipa-client openssl
ipa-client-4.6.8-5.el7_9.14.x86_64
openssl-1.0.2k-26.el7_9.x86_64
Server:
# rpm -qa ipa-server openssl
openssl-3.0.7-16.el9_2.x86_64
ipa-server-4.10.1-7.el9_2.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Install a RHEL 9.2 server in FIPS mode
ipa-server-install --domain ipa.test --realm IPA.TEST -a password - password -U
2. Install a RHEL 7.9 client in FIPS mode
ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password password -U
Actual results:
The client installation fails due to a SSL handshake failure:
# ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd
Client hostname: client.ipa.test
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: server.ipa.test
BaseDN: dc=ipa,dc=test
Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TEST
Issuer: CN=Certificate Authority,O=IPA.TEST
Valid From: 2023-07-06 12:52:19
Valid Until: 2043-07-06 12:52:19
Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://server.ipa.test/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://server.ipa.test/ipa/json'
cannot connect to 'https://server.ipa.test/ipa/json': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
Expected results:
Client installation should succeed.
Additional info:
This issue is related to the change done on openssl side with Bug 2188046 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode [rhel-9.2.0.z]
In FIPS mode, if the server is installed with openssl-3.0.7-16.el9_2, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections.
RHEL 7.9 clients can communicate only using TLS 1.2 but don't support this extension. RHEL 8.x clients support TLS 1.2 and TLS 1.3 and are not impacted.
The direct consequence is that RHEL 7.9 clients cannot join a RHEL 9.2+ server in FIPS mode. This limitation should be documented.
This error occurs in the context of a RHEL 7.9 client installation, but based on the error, we can probably expect it to happen for all HTTPS API requests (not just during the installation process):
cannot connect to 'https://server.ipa.test/ipa/json': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
Current deployments are very likely to be affected too.
That's correct. NIST now requires that modules submitted for FIPS certification after May 16th, 2023, enforce the extended master secret in TLS 1.2, or use TLS 1.3. RHEL 7 does not support TLS 1.3 or the extended master secret. See also https://access.redhat.com/solutions/7018256 which explains this.
To put it in a different way: modules submitted for FIPS certification after May 16th, 2023, can no longer talk to RHEL 7 servers using TLS while being FIPS-compliant.
Comment 19RHEL Program Management
2023-09-18 22:53:55 UTC
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 20RHEL Program Management
2023-09-18 22:58:56 UTC
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.
Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.
To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:
"Bugzilla Bug" = 1234567
In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Description of problem: Installation of a RHEL 7.9 client fails in FIPS mode with a RHEL 9.2 server. Version-Release number of selected component (if applicable): Client: # rpm -qa ipa-client openssl ipa-client-4.6.8-5.el7_9.14.x86_64 openssl-1.0.2k-26.el7_9.x86_64 Server: # rpm -qa ipa-server openssl openssl-3.0.7-16.el9_2.x86_64 ipa-server-4.10.1-7.el9_2.x86_64 How reproducible: Always Steps to Reproduce: 1. Install a RHEL 9.2 server in FIPS mode ipa-server-install --domain ipa.test --realm IPA.TEST -a password - password -U 2. Install a RHEL 7.9 client in FIPS mode ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password password -U Actual results: The client installation fails due to a SSL handshake failure: # ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U WARNING: ntpd time&date synchronization service will not be configured as conflicting service (chronyd) is enabled Use --force-ntpd option to disable it and force configuration of ntpd Client hostname: client.ipa.test Realm: IPA.TEST DNS Domain: ipa.test IPA Server: server.ipa.test BaseDN: dc=ipa,dc=test Skipping synchronizing time with NTP server. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.TEST Issuer: CN=Certificate Authority,O=IPA.TEST Valid From: 2023-07-06 12:52:19 Valid Until: 2043-07-06 12:52:19 Enrolled in IPA realm IPA.TEST Created /etc/ipa/default.conf New SSSD config will be created Configured sudoers in /etc/nsswitch.conf Configured /etc/sssd/sssd.conf trying https://server.ipa.test/ipa/json [try 1]: Forwarding 'schema' to json server 'https://server.ipa.test/ipa/json' cannot connect to 'https://server.ipa.test/ipa/json': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618) The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Expected results: Client installation should succeed. Additional info: This issue is related to the change done on openssl side with Bug 2188046 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode [rhel-9.2.0.z] In FIPS mode, if the server is installed with openssl-3.0.7-16.el9_2, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections. RHEL 7.9 clients can communicate only using TLS 1.2 but don't support this extension. RHEL 8.x clients support TLS 1.2 and TLS 1.3 and are not impacted. The direct consequence is that RHEL 7.9 clients cannot join a RHEL 9.2+ server in FIPS mode. This limitation should be documented.