Bug 2235589

Summary: gnutls fails in FIPS mode: Error in GnuTLS initialization: Error while performing self checks.
Product: [Fedora] Fedora Reporter: Martin Pitt <mpitt>
Component: gnutlsAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: ansasaki, crypto-team, dueno, fkrenzel, tm, zfridric
Target Milestone: ---Keywords: Regression
Target Release: ---Flags: fedora-admin-xmlrpc: mirror+
Hardware: Unspecified   
OS: Linux   
URL: https://cockpit-logs.us-east-1.linodeobjects.com/pull-5171-20230829-063656-e518ac35-fedora-39-other-cockpit-project-cockpit/log.html#107-2
Whiteboard: CockpitTest
Fixed In Version: gnutls-3.8.1-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-15 18:42:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2023-08-29 07:09:11 UTC 
Summary says it all.

Reproducible: Always

Steps to Reproduce:
1. fips-mode-setup --enable
2. reboot
3. gnutls-cli localhost
Actual Results:  
Error in GnuTLS initialization: Error while performing self checks.
global_init: Error while performing self checks.

and exits with code 1

Expected Results:  
Starts connecting and errors with "Could not connect to 127.0.0.1:443: Connection refused" (or succeeds if there is actually a https server running)
Comment 1 Daiki Ueno 2023-08-29 07:33:02 UTC 
According to the log, this seems to be caused by nettle and gnutls version mismatch, where nettle is nettle-3.9.1-2.fc39.x86_64 while gnutls is gnutls-3.8.0-7.fc39.x86_64. I believe either downgrading nettle to the previous version (nettle-3.9.1-1.fc39) or updating gnutls to gnutls-3.8.1-1.fc39 should fix the issue.
Comment 2 Martin Pitt 2023-08-29 07:50:34 UTC 
Indeed my VM (built about two hours ago) currently has nettle-3.9.1-2.fc39.x86_64 , which is even newer than in https://bodhi.fedoraproject.org/updates/?packages=nettle (whose latest version is 3.9.1-1).

I updated to https://bodhi.fedoraproject.org/updates/FEDORA-2023-7ef3bc8d6d , i.e. to gnutls 3.8.1-1.fc39  and that indeed fixes the issue. Want to refer to this bug in the bodhi advisory? I'm happy to karma it up then.

Thanks!
Comment 3 Fedora Update System 2023-08-30 09:15:18 UTC 
FEDORA-2023-7ef3bc8d6d has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7ef3bc8d6d
Comment 4 Fedora Update System 2023-09-15 18:42:07 UTC 
FEDORA-2023-7ef3bc8d6d has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.