Red Hat Bugzilla – Bug 1460671
[WALA] Fail to run Extension in FIPS mode
Last modified: 2017-06-19 05:08:30 EDT
Description of problem: If install Extension, wala will run openssl pkcs12 to generate certificate, which goes wrong in FIPS mode. Version-Release number of selected component (if applicable): WALinuxAgent-2.2.12-1 RHEL Version: RHEL-7.4 How reproducible: 100% Steps to Reproduce: 1. Prepare a VM in Azure. Enable FIPS follow the document: https://access.redhat.com/solutions/137833 1). yum install dracut-fips 2). mv -v /boot/initramfs-$(uname -r).img{,.bak} dracut 3). grubby --update-kernel=$(grubby --default-kernel) --args=fips=1 uuid=$(findmnt -no uuid /boot) [[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid} 4). reboot 2. Run "reset remote access" to install an Extension into the VM. There's no error logs in waagent.log 3. Set "OS.EnableFIPS=y" in /etc/waagent.conf. Restart waagent service 4. Check if the extension works. Check /var/log/waagent.log Actual results: The extension doesn't work. The waagent -run-exthandler process keeps restarting. There're error logs in waagent.log: 2017/06/09 18:41:23.406056 WARNING Server preferred version:2015-04-05 2017/06/09 18:41:28.146195 ERROR Command: '/usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem' 2017/06/09 18:41:28.184821 ERROR Return code: 1 2017/06/09 18:41:28.195972 ERROR Result: MAC verified OK Error outputting keys and certificates 140308542494624:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181: 140308542494624:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87: 140308542494624:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139: 2017/06/09 18:41:28.306785 ERROR Failed to run 'run-exthandlers': Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/azurelinuxagent/agent.py", line 147, in main agent.run_exthandlers() File "/usr/lib/python2.7/site-packages/azurelinuxagent/agent.py", line 117, in run_exthandlers update_handler.run() File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/update.py", line 236, in run get_monitor_handler().run() File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/monitor.py", line 96, in run self.init_sysinfo() File "/usr/lib/python2.7/site-packages/azurelinuxagent/ga/monitor.py", line 121, in init_sysinfo protocol = self.protocol_util.get_protocol() File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 261, in get_protocol self.protocol = self._detect_protocol(protocols) File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 183, in _detect_protocol return self._detect_wire_protocol() File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/util.py", line 152, in _detect_wire_protocol protocol.detect() File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 99, in detect self.client.update_goal_state(forced=True) File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 729, in update_goal_state self.update_certs(goal_state) File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 688, in update_certs self.certs = Certificates(self, xml_text) File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 1147, in __init__ self.parse(xml_text) File "/usr/lib/python2.7/site-packages/azurelinuxagent/common/protocol/wire.py", line 1218, in parse thumbprint = thumbprints[pubkey] KeyError: u'-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAocW4DnlCqiI8MrQAj8ec\nZACpCKUwPCPg3vDYGLdwqvKs9H9bMxy1cXzgGFnPgfG/azfyzB3kbDlW+I9DMLq9\nw2ntdRdDn2esLlToWymQcQjs0FesvJhppgJSe0hOlUCBBgmWqFC1Lfom+SGDnxeR\nkc6z42ExX4VPRvNKeU7yZwoOqpTZmy2FXNxVe3db0nB87ZRRy15gXjHICFPMG4HV\nsPI/xDttaqTLlzmmGVh36oxE8WVCNiTarTOTNfA4udNmk07Xw2Y3lrms28jr2AKj\ngxpI+IUraN8reLUVNmkumeNwEl0ttdv6ngltkGCoNh+3lKVpnugahB+GCQ5hamCe\nGQIDAQAB\n-----END PUBLIC KEY-----\n' Expected results: The extension can work well in FIPS mode. Additional info: 1. I ran this command manually and it also didn't work. 1). export OPENSSL_FIPS=1 2). Run command: # /usr/bin/openssl cms -decrypt -in /var/lib/waagent/Certificates.p7m -inkey /var/lib/waagent/TransportPrivate.pem -recip /var/lib/waagent/TransportCert.pem | /usr/bin/openssl pkcs12 -nodes -password pass: -out /var/lib/waagent/Certificates.pem 3. Output: MAC verified OK Error outputting keys and certificates 140520158844832:error:060740A0:digital envelope routines:EVP_PBE_CipherInit:unknown cipher:evp_pbe.c:181: 140520158844832:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:87: 140520158844832:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139: 2. It also impact the VM provisioning if authenticate with ssh key in FIPS mode.
Here's the response from Tomas Mraz: "unfortunately this cannot work in the FIPS mode because the algorithm by which the PKCS12 data is encrypted is not approved and thus unsupported in the FIPS mode. The algorithm used is extremely weak - pbeWithSHA1And40BitRC2-CBC - this means the encryption is 40 bit RC2. The only FIPS approved encryption algorithms are AES and TDES3." It seems that this is not supported in FIPS mode. We're waiting for the MSFT developers to help to confirm it.