Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1442083 - Delayed name resolving fails when fips is enabled
Delayed name resolving fails when fips is enabled
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ntp (Show other bugs)
7.3
All Linux
medium Severity medium
: rc
: 7.5
Assigned To: Miroslav Lichvar
Andrej Dzilský
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-13 09:24 EDT by Miroslav Lichvar
Modified: 2018-04-10 11:26 EDT (History)
5 users (show)

See Also:
Fixed In Version: ntp-4.2.6p5-28.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 11:25:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Use SHA1 request key by default to fix delayed name resolving in FIPS mode (478 bytes, patch)
2017-04-13 09:54 EDT, Miroslav Lichvar 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0855 None None None 2018-04-10 11:26 EDT

  None (edit)
Description Miroslav Lichvar 2017-04-13 09:24:25 EDT 
Description of problem:
When the FIPS mode was enabled and hostnames specified in ntp.conf couldn't be resolved on start, the resolving process of ntpd is not be able to configure the main process later and it won't be using the servers for synchronization.

The problem is that ntpd uses a random MD5 key when no request key was specified in the config and MD5 is not allowed in the FIPS mode.

Version-Release number of selected component (if applicable):
ntp-4.2.6p5-25.el7_3.1.x86_64

How reproducible:
Most of the time

Steps to Reproduce:
1. enable FIPS mode
2. disable chronyd service, enable ntpd service
3. reboot

Actual results:
The "ntpq -pn" command reports that no NTP servers are used and the system log contains an "ntpd_intres[729]: MAC encrypt: digest init failed" error message.

Expected results:
ntpq -pn lists all servers specified in ntp.conf.

Additional info:
Comment 1 Miroslav Lichvar 2017-04-13 09:54 EDT 
Created attachment 1271436 [details]
Use SHA1 request key by default to fix delayed name resolving in FIPS mode

With this patch ntpd will use by default a random SHA1 key instead of an MD5 key, which is still allowed in the FIPS mode.
Comment 5 Andrej Dzilský 2017-10-17 11:15:36 EDT 
Verified. Fixed.
Comment 8 errata-xmlrpc 2018-04-10 11:25:54 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0855
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.