Description of problem: Use of libfaketime with openssl triggers a segfault if the system is in FIPS mode. See * [BUG] https://github.com/wolfcw/libfaketime/issues/93 * [BUG] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1613658 * [PATCH] https://github.com/wolfcw/libfaketime/commit/0bde083556e243e87bddaaf94e68f2ef85dad769 Version-Release number of selected component (if applicable): libfaketime-0.9.6-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. yum install hmaccalc fipscheck dracut-fips dracut-fips-aesni 2. rebuild initrd (dracut -f) 3. Boot the system with "fips=1" in the kernel boot arguments 4. Run "faketime -f '2017-01-01 00:00:00' openssl" Actual results: # faketime -f '2017-06-23 01:02:03' openssl ciphers Caught Segmentation fault Expected results: faketime -f '2017-06-23 01:02:03' openssl ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:KRB5-DES-CBC3-SHA Additional info: Not sure whether the initrd build is mandatory or just booting with fips=1 is sufficient.
upstream is about to release 0.9.7 which includes that fix. So if this isn't super urgent, I'd prefer to wait and just to 0.9.7 since there are quite a lot of fixes since 0.9.6
Not super urgent from my perspective. I'd love to see fix within the next month or so, so if the next release is expected within the next few weeks it would absolutely make sense to just wait for that rather than cherry-picking the individual fix.