Description of problem: BIND fails to start in FIPS mode. # journalctl -u named-pkcs11 ... May 13 19:02:40 ipa.example.test bash[32484]: /etc/crypto-policies/back-ends/bind.config:2: invalid algorithm 'RSAMD5' To work around this I removed the line RSAMD5 under disable-algorithms in /etc/crypto-policies/back-ends/bind.config and the service starts and seems to operate ok. I ran into this installing freeIPA in FIPS mode. There are other FIPS-related things to work through so I can't provide a simple reproducer at the moment. Version-Release number of selected component (if applicable): crypto-policies-20190211-2.gite3eacfc.fc29
Sounds like a Bind or IPA configuration bug, MD5 is definitely not allowed in FIPS mode, so it can't be allowed in the crypto-polices for FIPS.
Oh apparently I misunderstood the problem at first read. The problem is that RSAMD5 is (was?) a valid algorithm for bind which we disabled in the crypto-polices. Now for some reason when we tell bind to disable this algorithm it balks. Sounds like a regression where a supported option suddently disappeared. This is strange because I still see applied patches in f29 dist-git where the RSAMD5 algorithm is checked. Sounds like something for bind folks to investigate first, valid config files shouldn't stop suddenly working after an upgrade, even if RSAMD5 was dropped (I see upstream dropped it in 9.13) our bind should probably just have a rule to ignore the string when it occurs in config files, at least for the disable-algorithms option, or push a change into crypto-policies and place an explicit dependency on a "new enough" crypto-policy package.
Hmm, maybe my checks are too strict in place of fetching RSAMD5 algorithm. It pretends like it does not know about it existence, mimicking upstream support for FIPS mode on compile time. It is required to refuse key generation and similar stuff. I admit I did not take into account requests to disable such algorithm. It fails because it pretends it is not even known. Will have to modify FIPS patch to understand RSAMD5 algorithm, but just refuse to use it. But allow to disable it by security policy.
However, FIPS mode never worked correctly to me on Fedora, so I were not able to test it. I were unable to disable MD5 function in OpenSSL the way it is possible on RHEL. Is that fixed now? I used test: $ echo test | openssl md5 which always fails on RHEL, but never fails on Fedora, regardless my system configured to FIPS mode.
Created attachment 1600612 [details] Patch disable Allow autodisabled algorithm to be explicitly disabled, but fail any other use of it.
Created attachment 1601781 [details] downstream patch for 9.11.9 Upstream modified 9.14 digest functions to always use OpenSSL. It would also handle return codes of those functions. This patch is v9_11 only, because no API change would occur there.
FEDORA-2019-d04f66e595 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d04f66e595
FEDORA-2019-11a3771c04 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-11a3771c04
FEDORA-2019-8984905bca has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8984905bca
bind-9.11.10-1.fc30, bind-dyndb-ldap-11.1-19.fc30, dhcp-4.3.6-37.fc30, dnsperf-2.3.2-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8984905bca
bind-9.11.10-1.fc29, bind-dyndb-ldap-11.1-19.fc29, dhcp-4.3.6-34.fc29, dnsperf-2.3.2-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d04f66e595
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-11a3771c04
bind-9.11.10-1.fc30, bind-dyndb-ldap-11.1-19.fc30, dhcp-4.3.6-37.fc30, dnsperf-2.3.2-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.11.10-1.fc31, bind-dyndb-ldap-11.1-20.fc31, dnsperf-2.3.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.11.10-1.fc29, bind-dyndb-ldap-11.1-19.fc29, dhcp-4.3.6-34.fc29, dnsperf-2.3.2-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.