Bug 2231540
| Summary: | SSH does not use the ibmca crypto hardware in FIPS on s390x | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Ondrej Moriš <omoris> |
| Component: | openssh | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.3 | CC: | hkario, jjelen, ksrot, npocs, tstaudt |
| Target Milestone: | rc | Keywords: | Regression, Triaged |
| Target Release: | --- | ||
| Hardware: | s390x | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-29 10:38:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ondrej Moriš
2023-08-11 18:48:52 UTC
I discussed something similar in https://bugzilla.redhat.com/show_bug.cgi?id=2224568 Karel, could you please check if it is the same issue? No, this is something different. The issue in bug 2224568 has been fixed with openssl-ibmca-2.4.0-4.el9 which has been installed in test jobs above. However, I had been discussing this issue previously with Hubert Kario who spotted it. The ibmca engine is not used when openssl is configured to use the ibmca engine. It works when openssl is using ibmca provider. The engine is deprecated and it has never been FIPS compliant, we believe this is not worth fixing. Users should be using ibmca provider instead. Ondra, could you please check whether switching to the provider fixes the issue? If yes, I'd close it as WONTFIX. (In reply to Dmitry Belyavskiy from comment #4) > Ondra, could you please check whether switching to the provider fixes the > issue? If yes, I'd close it as WONTFIX. Yes, it works fine when imbca provider is enabled. Thank you both! |