1100756 – Installation of dovecot in FIPS mode hangs yum

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1100756 - Installation of dovecot in FIPS mode hangs yum

Summary: Installation of dovecot in FIPS mode hangs yum

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	dovecot
Sub Component:
Version:	6.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Hlavinka
QA Contact:	Alois Mahdal
Docs Contact:
URL:
Whiteboard:
Depends On:	1064978
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-23 11:45 UTC by Hubert Kario
Modified:	2015-07-22 06:57 UTC (History)
CC List:	8 users (show)
Fixed In Version:	dovecot-2.0.9-15.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-07-22 06:57:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1348	0	normal	SHIPPED_LIVE	dovecot bug fix and enhancement update	2015-07-20 17:59:48 UTC

Description Hubert Kario 2014-05-23 11:45:39 UTC

Description of problem:
It's impossible to install dovecot in FIPS mode, yum hangs after the "Installing" step

Version-Release number of selected component (if applicable):
dovecot-2.0.9-7.el6.ppc64
openssl-1.0.1e-16.el6_5.8

How reproducible:
always

Steps to Reproduce:
1. put system in FIPS mode
2. install new openssl (penssl-1.0.1e-16.el6_5.8 or later)
3. yum install dovecot

Actual results:

Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Reinstall Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package dovecot.ppc64 1:2.0.9-7.el6 will be reinstalled
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================
 Package                    Arch                     Version                           Repository                              Size
====================================================================================================================================
Reinstalling:
 dovecot                    ppc64                    1:2.0.9-7.el6                     rhel-ppc64-server-6                    2.0 M

Transaction Summary
====================================================================================================================================
Reinstall     1 Package(s)

Total size: 2.0 M
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 1:dovecot-2.0.9-7.el6.ppc64


Expected results:
dovecot installed

Additional info:
Problem probably caused by the new FIPS certified OpenSSL package. New FIPS rules don't allow 1024 bit DH, RSA or DSA keys: bug 1064978.

Comment 1 Tomas Mraz 2014-05-23 11:51:32 UTC

Note that FIPS allows for 2048 and 3072 bit keys only in the FIPS mode.

Comment 2 Michal Hlavinka 2014-05-23 14:20:24 UTC

Interesting. This should be already fixed.

(In reply to Hubert Kario from comment #0)
> 1. put system in FIPS mode

Is there some easy way how to do that? I always have to do fresh installation in fips mode. If I just add fips=1 to grub, I can't log in.

Comment 4 Michal Hlavinka 2014-05-26 09:10:55 UTC

I just tried to reproduce this and it works for me.
Installation seemed to hang, but it was generating keys and it just waited for random number generator to have enough entropy. It completed a few seconds later.

If you are able to reproduce this, could you leave the installation hanged and send me login password for that machine? Thanks


(In reply to Tomas Mraz from comment #1)
> Note that FIPS allows for 2048 and 3072 bit keys only in the FIPS mode.

FYI, this was fixed in dovecot-2.0.9-7.el6, see bug #1010279

Comment 5 Hubert Kario 2014-05-26 16:39:23 UTC

Then the new openssl reintroduces this issue:

[root@pes-guest-103 ~]# rpm -qf /usr/libexec/dovecot/ssl-params
dovecot-2.0.9-7.el6.x86_64
[root@pes-guest-103 ~]# /usr/libexec/dovecot/ssl-params
Info: Generating SSL parameters
Error: DH_generate_parameters(bits=512, gen=2) failed: error:0506A06E:lib(5):func(106):reason(110)
Error: DH_generate_parameters(bits=1024, gen=2) failed: error:0506A003:lib(5):func(106):reason(3)
Fatal: Unable to generate any DH parameter
Error: child process failed with status 22784

Comment 9 Karel Srot 2015-01-15 14:39:32 UTC

Not sure if it is exactly the problem described above but I am seeing failures in FIPS with dovecot-2.0.9-8.el6_6.4 due to /usr/libexec/dovecot/mkcert.sh trying to generate not allowed certificates.


Generating a 1024 bit RSA private key
Error Generating Key
17590154273520:error:2D07406D:FIPS routines:RSA_BUILTIN_KEYGEN:invalid key length:rsa_gen.c:190:

Comment 11 Alois Mahdal 2015-04-15 19:12:18 UTC

Is this supposed to be hardware-specific?

I just tried to reproduce it on all RHEL6 archs[*] and everywhere dovecot installed just fine.


 [*] except for s390x where FIPS cannot be enabled, as reported by
     /distribution/fips/setup-fips-enabled

Comment 14 Michal Hlavinka 2015-04-16 13:48:49 UTC

It's not hardware specific. Just beware of a change in the openssl:
* Fri Jun 06 2014 Tomáš Mráz <tmraz> 1.0.1e-26
...
- FIPS mode: make the limitations on DSA, DH, and RSA keygen
  length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment
  variable is set

so new openssl versions do not affect the ssl-params by default

Comment 21 errata-xmlrpc 2015-07-22 06:57:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1348.html

Note You need to log in before you can comment on or make changes to this bug.