Hide Forgot
Description of problem: A lot of servers is using OpenBMC stack for their management controllers. Some time ago the OpenBMC project has dropped support for cipher suite 3 due to its insecurity. Before that happened, the upstream ipmitool has been updated and a bug that prevented proper cipher suite negotiation has been fixed there. However, those commits have not been imported yet to the CentOS 7 ipmitool package. That results in CentOS 7 ipmitool failing to authenticate over lanplus interface to any modern OpenBMC-driven controllers. Version-Release number of selected component (if applicable): ipmitool-1.8.18-7.el7.x86_64.rpm ipmitool-1.8.18-9.el7.x86_64.rpm How reproducible: Always Steps to Reproduce: Try to query any modern OpenBMC-driven BMC and observe an error: ``` $ ipmitool -H <openbmc_ip_address> -I lanplus -U <username> -P <password> mc info Error in open session response message : invalid authentication algorithm Error: Unable to establish IPMI v2 / RMCP+ session ``` Additional info: OpenBMC commit that dropped cipher suite 3: https://github.com/openbmc/openbmc/commit/a95e4a952c182380b98edcd8d4f615faabb8af95 Upstream ipmitool commits that fix the issue: https://github.com/ipmitool/ipmitool/commit/7772254b62826b894ca629df8c597030a98f4f72 lanplus: Auto-select 'best' cipher suite available https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow
I tried to cherry-pic the two commits based on 1.8.18 tag: * It gets some conflicts, which could be resolved manually. * It depends on ipmi24toh(), which is introduced in 0310208383b863c9e4506bc151b8912f17402a6e and could NOT be picked cleanly, so I manually cherry-pick the function. * It depends on ARRAY_SIZE(), which is introduced in fe8d1fa6243f14a36219871010237d8e06ad8120, and it could be picked cleanly.
Red Hat Enterprise Linux 7 shipped it's final minor release on September 29th, 2020. 7.9 was the last minor releases scheduled for RHEL 7. From intial triage it does not appear the remaining Bugzillas meet the inclusion criteria for Maintenance Phase 2 and will now be closed. From the RHEL life cycle page: https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase "During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7,Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available." If this BZ was closed in error and meets the above criteria please re-open it flag for 7.9.z, provide suitable business and technical justifications, and follow the process for Accelerated Fixes: https://source.redhat.com/groups/public/pnt-cxno/pnt_customer_experience_and_operations_wiki/support_delivery_accelerated_fix_release_handbook Feature Requests can re-opened and moved to RHEL 8 if the desired functionality is not already present in the product. Please reach out to the applicable Product Experience Engineer[0] if you have any questions or concerns. [0] https://bugzilla.redhat.com/page.cgi?id=agile_component_mapping.html&product=Red+Hat+Enterprise+Linux+7