Bug 1868637 - ipmitool fails to connect to modern OpenBMC due to error in cipher suite matching
Summary: ipmitool fails to connect to modern OpenBMC due to error in cipher suite matc...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipmitool
Version: 7.9
Hardware: All
OS: All
Target Milestone: rc
: ---
Assignee: Vaclav Dolezal
QA Contact: Rachel Sibley
Depends On:
TreeView+ depends on / blocked
Reported: 2020-08-13 11:10 UTC by Alexander Amelkin
Modified: 2020-11-12 09:15 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-12 09:15:15 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
CentOS 17653 0 None None None 2020-08-13 11:10:25 UTC

Description Alexander Amelkin 2020-08-13 11:10:25 UTC
Description of problem:

A lot of servers is using OpenBMC stack for their management controllers.
Some time ago the OpenBMC project has dropped support for cipher suite 3 due to its insecurity.

Before that happened, the upstream ipmitool has been updated and a bug that prevented proper cipher suite negotiation has been fixed there.
However, those commits have not been imported yet to the CentOS 7 ipmitool package. That results in CentOS 7 ipmitool failing to authenticate over lanplus interface to any modern OpenBMC-driven controllers.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

Try to query any modern OpenBMC-driven BMC and observe an error:

$ ipmitool -H <openbmc_ip_address> -I lanplus -U <username> -P <password> mc info
Error in open session response message : invalid authentication algorithm

Error: Unable to establish IPMI v2 / RMCP+ session

Additional info:

OpenBMC commit that dropped cipher suite 3:

Upstream ipmitool commits that fix the issue:
https://github.com/ipmitool/ipmitool/commit/7772254b62826b894ca629df8c597030a98f4f72 lanplus: Auto-select 'best' cipher suite available
https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow

Comment 2 Lei YU 2020-10-23 09:39:53 UTC
I tried to cherry-pic the two commits based on 1.8.18 tag:
* It gets some conflicts, which could be resolved manually.
* It depends on ipmi24toh(), which is introduced in 0310208383b863c9e4506bc151b8912f17402a6e and could NOT be picked cleanly, so I manually cherry-pick the function.
* It depends on ARRAY_SIZE(), which is introduced in fe8d1fa6243f14a36219871010237d8e06ad8120, and it could be picked cleanly.

Comment 3 Josef Ridky 2020-11-12 09:15:15 UTC
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7.
From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. 

From the RHEL life cycle page:
"During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available."

If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes:

Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. 

Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns.  

[0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7

Note You need to log in before you can comment on or make changes to this bug.