Description of problem: OpenSSL 1.0.2j deadlocks in FIPS mode. The deadlock occurs in multithreaded applicaiton with an OpenSSL thread lock callback, e.g. Python's ssl module. It's triggered by reseed of the RNG during SSL handshake Version-Release number of selected component (if applicable): OpenSSL 1.0.2j How reproducible: always Steps to Reproduce: 1. touch /etc/system-fips 2. OPENSSL_FORCE_FIPS_MODE=1 pip download somepackage Actual results: program deadlocks Expected results: pip works Additional info: https://bugs.python.org/issue28854 https://github.com/openssl/openssl/issues/2019 The bug is caused by a double lock acquire of CRYPTO_LOCK_RAND lock. My Python upstream bug contains more detailed information and gdb stack dumps.
You can close the upstream report as the FIPS mode support we have in Fedora is different from upstream. I'll investigate and fix it.
Can you please test openssl-1.0.2j-3.fc24 from koji? According to my tests it should be fixed. I've dropped the read lock in drbg_status which is unnecessary.
openssl-1.0.2j-3.fc24 from http://koji.fedoraproject.org/koji/taskinfo?taskID=16708277 fixes the bug and no longer causes deadlocks. Thanks a lot for the fast fix!
openssl-1.0.2j-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f5c57e05b6
openssl-1.0.2j-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5ccc141b9c
openssl-1.0.2j-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f5c57e05b6
openssl-1.0.2j-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5ccc141b9c
openssl-1.0.2j-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.2j-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.