1663443 – java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphersuites

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1663443 - java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphersuites

Summary: java FIPS and FUTURE policies incorrectly disable DHE_RSA and ECDHE_RSA ciphe...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	crypto-policies
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	8.0
Assignee:	Tomas Mraz
QA Contact:	Ondrej Moriš
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1652753 1656418
TreeView+	depends on / blocked

Reported:	2019-01-04 11:14 UTC by Mohammad Rizwan
Modified:	2020-11-14 12:18 UTC (History)
CC List:	17 users (show)
Fixed In Version:	crypto-policies-20181217-4.git9a35207.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-13 22:48:47 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mohammad Rizwan 2019-01-04 11:14:00 UTC

Description of problem:
ipa-server-install fails in FIPS mode for [1/28]: configuring certificate server instance

Version-Release number of selected component (if applicable):
  ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64                            
  ipa-server-dns-4.7.1-7.module+el8+2555+b334d87b.noarch

How reproducible:
always

Steps to Reproduce:
1. Enable fips mode and install ipa-server

Actual results:
[..]
  [1/5]: Making sure custodia container exists
  [2/5]: Generating ipa-custodia config file
  [3/5]: Generating ipa-custodia keys
  [4/5]: starting ipa-custodia 
  [5/5]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes
  [1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmppdbjeyia'] returned non-zero exit status 1: 'pkispawn      : ERROR    Server unreachable due to SSL error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:872)\nconfiguration : ERROR    Server failed to restart\n')
See the installation logs and the following files/directories for more information:
  /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Expected results:
ipa-server-install success.

Additional info:
Similar bug is on ON_QA for different issue : https://bugzilla.redhat.com/show_bug.cgi?id=1656418

Comment 5 Rob Crittenden 2019-01-04 13:23:07 UTC

It is failing during bootstrapping. Only the temporary server cert has been issued at the point of failure.

Comment 8 Deepak Punia 2019-01-08 05:15:26 UTC

DS/CA Installation are getting failed after enabling the fips at hardware level.
Below is the detail logs

Working fine before configuring fips:-
# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master

After configuring fips on rhel8 ds installation is not working
# df /boot
Filesystem     1K-blocks   Used Available Use% Mounted on
/dev/sda1        1038336 171500    866836  17% /boot

# blkid  /dev/sda1
/dev/sda1: UUID="88a7f134-6f62-445e-8c6b-0a9aae0f3478" TYPE="xfs" PARTUUID="6b4463b1-01"

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
done
# reboot

# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
# /usr/sbin/getenforce
Enforcing

# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Error: {'desc': "Can't contact LDAP server"}

after disabling the fips :-
[root@dell-pr5820-01 hsm_setup]# sysctl crypto.fips_enabled
crypto.fips_enabled = 0
[root@dell-pr5820-01 hsm_setup]#
[root@dell-pr5820-01 hsm_setup]# dscreate from-file rhel8-ds.inf
Starting installation...
Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv → /usr/lib/systemd/system/dirsrv@.service.
Completed installation for master

Attached is the config file and debug logs

Comment 19 Ondrej Moriš 2019-01-23 09:14:48 UTC

Acceptance Criteria:

 * IPA server can be installed in FIPS mode.

Comment 20 Tomas Mraz 2019-01-23 09:33:31 UTC

(In reply to Ondrej Moriš from comment #19)
> Acceptance Criteria:
> 
>  * IPA server can be installed in FIPS mode.

I believe this is too broad AC.

I'd suggest AC:

  * java -Djava.security.properties=../outputs/FIPS-java.txt CipherList lists the DHE_RSA and ECDHE_RSA ciphersuites (and the same for FUTURE policy)

Note You need to log in before you can comment on or make changes to this bug.