See also: Bug 1324493 - Update the list of FIPS approved algorithms

I'd say this is expected and acceptable.

(In reply to Tomas Mraz from comment #3)
> I'd say this is expected and acceptable.

Well, the main point was that this was working in RHEL7.3 and the change was propagated from the Fedora bug #1324493.
The main question is if this is something that FIPS enforces or we should rather aim for compatibility (with RHEL7.3 and also with legacy RHEL4.9).
If we hit this issue in our own infrastructure, it is very likely that there will be similar issue and setup somewhere in the wild in customers deployments.

Tomas, if you are ok with this change, we will certainly have to make sure it will be documented.

The deprecation of SHA1 for FIPS is a known fact, so I think just documenting the change (with the possible workaround by explicitly allowing the SHA1 based DH methods) is sufficient.

Sorry for coming up with details gradually (this should have been in the original report). But the problem is that when the cipher is not allowed in the FIPS, there is no workaround. The kex is not known to OpenSSH in FIPS.

By manually selecting the cipher it leads to

    "diffie-hellman-group1-sha1" is not allowed in FIPS mode

so from there was the question how is the status of SHA1 in FIPS and what of the options would be acceptable for FIPS:

 * Do we want the same behavior as in RHEL7.3: Enabled in default proposal
 * Not in default proposal, possible to enable using configuration (preferred)
 * Not in default proposal, unable to enable (current behavior of RHEL 7.4 package)

I think the second option is the best.

I will restore both the methods that were allowed in RHEL 7.3:

  diffie-hellman-group-exchange-sha1
  diffie-hellman-group14-sha1

They will not be offered by default (not on client nor server), but  they can be re-enabled using configuration option such as

  ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@legacyhost

or using configuration as described in http://www.openssh.com/legacy.html

The diffie-hellman-group-exchange-sha1 was disabled in RHEL7.3 and will stay so.

It still fails for me with openssh-7.4p1-3.el7:

# ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
FIPS mode initialized
Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

# echo $?
255

# cat /proc/sys/crypto/fips_enabled
1

Can you post a debug log from

  ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4

# ssh -vvv -oKexAlgorithms=+diffie-hellman-group14-sha1 user@rhel4
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
FIPS mode initialized
debug2: resolving "rhel4" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to rhel4 [10.10.10.10] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to rhel4:22 as 'user'
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: MACs stoc: hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib
debug2: compression stoc: none,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: (no match)
Unable to negotiate with 10.10.10.10 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

I see suspicious comma in the line

    debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,,diffie-hellman-group14-sha1,ext-info-c

which might cause these problems. I don't see it it non-FIPS mode. As a possible workaround, the following should work:

    ssh -vvv -oKexAlgorithms=diffie-hellman-group14-sha1 user@rhel4

I can reproduce the same problem with my machine if I try to pass the bogus comma to the algorithm list

    ssh -vvv -oKexAlgorithms=,diffie-hellman-group14-sha1 user@localhost

It is certainly bug in the FIPS offered list. This should not be in the default configuration, but the parser itself should not choke on that (it ends when it does not find the anything in front of comma).

I will respin the package as soon as I will find out how to put it together.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2029