1978628 – rhel9 fips mode is non-function with openssl-3

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1978628 - rhel9 fips mode is non-function with openssl-3

Summary: rhel9 fips mode is non-function with openssl-3

Keywords:
Status:	CLOSED DUPLICATE of bug 1977318
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	openssl
Sub Component:
Version:	9.0
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	beta
Target Release:	---
Assignee:	Sahana Prasad
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-07-02 11:02 UTC by Vladis Dronov
Modified:	2021-08-02 09:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-07-02 13:19:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Vladis Dronov 2021-07-02 11:02:03 UTC

RHEP-9 FIPS mode is not function with open ssl-3 libs. I belive the urgency and priority is somewhere between Urgent and Critical.

(compose is openssl-1 RHEL-9.0.0-20210617.1 and openssl-3 latest compose is configured as *-bad-*)

# uname -r
5.13.0-2.ecdhfix.el9.x86_64 // exact kernel version is not important here

# fips-mode-setup --check
FIPS mode is enabled.

# rpm -qa openssl\*
openssl-pkcs11-0.4.11-4.el9.x86_64
openssl-libs-1.1.1j-1.el9.x86_64
openssl-1.1.1j-1.el9.x86_64
openssl-devel-1.1.1j-1.el9.x86_64

# dnf --showd list openssl
Last metadata expiration check: 0:00:15 ago on Fri 02 Jul 2021 12:47:01 CEST.
Installed Packages
openssl.x86_64    1:1.1.1j-1.el9             @rhel9blc-baseos   
Available Packages
openssl.x86_64    1:1.1.1j-1.el9             rhel9blc-baseos    
openssl.x86_64    1:3.0.0-0.alpha16.4.el9    rhel9blc-bad-baseos

(ALL IS GOOD)

# dnf upgrade openssl
...(full list in #c1)...
Install   1 Package
Upgrade  65 Packages
Total download size: 40 M
...skip...
  Cleanup          : libsss_idmap-2.4.2-4.el9.x86_64      130/131 
  Cleanup          : libsss_nss_idmap-2.4.2-4.el9.x86_64  131/131 
  Running scriptlet: rpm-4.16.1.3-1.el9.2.x86_64          131/131 
  Running scriptlet: sssd-common-2.5.1-2.el9.x86_64       131/131 
  Running scriptlet: libsss_nss_idmap-2.4.2-4.el9.x86_64  131/131 

^C^C
^C^C^C^C^C^C^C^C
^C^C^C^C^C^C
Job for sshd.service failed because a timeout was exceeded.
See "systemctl status sshd.service" and "journalctl -xeu sshd.service" for details.

# dnf list
^C^C^C^C^C
^C^C^C^C^C
(THAT'S ALL FOLKS, SYSTEM OF A DOWN)

Comment 1 Vladis Dronov 2021-07-02 11:08:17 UTC

1) This definitely is a blocker, setting blocker?.

2) a system can be configured for the FIPS mode with:

# rpm -qf $(command -v fips-mode-setup)
crypto-policies-scripts-20210218-2.git2246c55.el9.noarch

# fips-mode-setup
Check, enable, or disable the system FIPS mode.
usage: /usr/bin/fips-mode-setup --enable|--disable [--no-bootcfg]
usage: /usr/bin/fips-mode-setup --check
usage: /usr/bin/fips-mode-setup --is-enabled

3) an exact list of installed packages:

# dnf upgrade openssl
Last metadata expiration check: 0:03:23 ago on Fri 02 Jul 2021 12:47:01 CEST.
Dependencies resolved.
======================================================================================
 Package                  Arch   Version                 Repository              Size
======================================================================================
Upgrading:
 coreutils                x86_64 8.32-28.el9             rhel9blc-bad-baseos    1.1 M
 coreutils-common         x86_64 8.32-28.el9             rhel9blc-bad-baseos    2.0 M
 cryptsetup-libs          x86_64 2.3.6-2.el9             rhel9blc-bad-baseos    492 k
 git-core                 x86_64 2.31.1-2.el9.1          rhel9blc-bad-appstream 3.6 M
 ima-evm-utils            x86_64 1.3.2-4.el9             rhel9blc-bad-baseos     63 k
 kmod                     x86_64 28-4.el9                rhel9blc-bad-baseos    125 k
 kmod-libs                x86_64 28-4.el9                rhel9blc-bad-baseos     65 k
 krb5-libs                x86_64 1.19.1-8.el9            rhel9blc-bad-baseos    744 k
 libarchive               x86_64 3.5.1-6.el9             rhel9blc-bad-baseos    394 k
 libcurl                  x86_64 7.76.1-6.el9            rhel9blc-bad-baseos    291 k
 libdnf                   x86_64 0.63.0-1.el9            rhel9blc-bad-baseos    645 k
 libdnf-plugin-subscription-manager
                          x86_64 1.29.12-2.el9           rhel9blc-bad-baseos     59 k
 libevent                 x86_64 2.1.12-5.el9            rhel9blc-bad-baseos    270 k
 libfido2                 x86_64 1.6.0-6.el9             rhel9blc-bad-baseos     73 k
 librepo                  x86_64 1.14.0-3.el9            rhel9blc-bad-baseos     93 k
 librhsm                  x86_64 0.0.3-6.el9             rhel9blc-bad-baseos     36 k
 libssh                   x86_64 0.9.5-5.el9             rhel9blc-bad-baseos    212 k
 libssh-config            noarch 0.9.5-5.el9             rhel9blc-bad-baseos     12 k
 libsss_certmap           x86_64 2.5.1-2.el9             rhel9blc-bad-baseos     72 k
 libsss_idmap             x86_64 2.5.1-2.el9             rhel9blc-bad-baseos     41 k
 libsss_nss_idmap         x86_64 2.5.1-2.el9             rhel9blc-bad-baseos     43 k
 openldap                 x86_64 2.4.57-5.el9            rhel9blc-bad-baseos    264 k
 openssh                  x86_64 8.6p1-5.el9.1           rhel9blc-bad-baseos    448 k
 openssh-clients          x86_64 8.6p1-5.el9.1           rhel9blc-bad-baseos    689 k
 openssh-server           x86_64 8.6p1-5.el9.1           rhel9blc-bad-baseos    458 k
 openssl                  x86_64 1:3.0.0-0.alpha16.4.el9 rhel9blc-bad-baseos    1.0 M
 openssl-devel            x86_64 1:3.0.0-0.alpha16.4.el9 rhel9blc-bad-appstream 2.3 M
 openssl-libs             x86_64 1:3.0.0-0.alpha16.4.el9 rhel9blc-bad-baseos    2.1 M
 openssl-pkcs11           x86_64 0.4.11-6.el9            rhel9blc-bad-baseos     76 k
 perl-Net-SSLeay          x86_64 1.90-5.el9              rhel9blc-bad-appstream 357 k
 python-unversioned-command
                          noarch 3.9.5-6.el9             rhel9blc-bad-appstream  13 k
 python3                  x86_64 3.9.5-6.el9             rhel9blc-bad-baseos     30 k
 python3-devel            x86_64 3.9.5-6.el9             rhel9blc-bad-appstream 208 k
 python3-hawkey           x86_64 0.63.0-1.el9            rhel9blc-bad-baseos    117 k
 python3-libdnf           x86_64 0.63.0-1.el9            rhel9blc-bad-baseos    799 k
 python3-librepo          x86_64 1.14.0-3.el9            rhel9blc-bad-baseos     53 k
 python3-libs             x86_64 3.9.5-6.el9             rhel9blc-bad-baseos    7.4 M
 python3-rpm              x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     98 k
 python3-subscription-manager-rhsm
                          x86_64 1.29.12-2.el9           rhel9blc-bad-baseos    141 k
 python3-unbound          x86_64 1.13.1-7.el9            rhel9blc-bad-appstream 103 k
 rng-tools                x86_64 6.13-2.el9              rhel9blc-bad-baseos     64 k
 rpm                      x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos    501 k
 rpm-build                x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-appstream  98 k
 rpm-build-libs           x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     97 k
 rpm-libs                 x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos    319 k
 rpm-plugin-selinux       x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     22 k
 rpm-plugin-systemd-inhibit
                          x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-appstream  22 k
 rpm-sign-libs            x86_64 4.16.1.3-1.el9.2        rhel9blc-bad-baseos     26 k
 rsync                    x86_64 3.2.3-8.el9             rhel9blc-bad-baseos    394 k
 sssd-client              x86_64 2.5.1-2.el9             rhel9blc-bad-baseos    125 k
 sssd-common              x86_64 2.5.1-2.el9             rhel9blc-bad-baseos    1.5 M
 sssd-kcm                 x86_64 2.5.1-2.el9             rhel9blc-bad-baseos    111 k
 subscription-manager-rhsm-certificates
                          x86_64 1.29.12-2.el9           rhel9blc-bad-baseos     42 k
 sudo                     x86_64 1.9.5p2-4.el9           rhel9blc-bad-baseos    1.1 M
 sudo-python-plugin       x86_64 1.9.5p2-4.el9           rhel9blc-bad-appstream  57 k
 systemd                  x86_64 248-7.el9               rhel9blc-bad-baseos    3.7 M
 systemd-libs             x86_64 248-7.el9               rhel9blc-bad-baseos    598 k
 systemd-pam              x86_64 248-7.el9               rhel9blc-bad-baseos    238 k
 systemd-rpm-macros       noarch 248-7.el9               rhel9blc-bad-baseos     29 k
 systemd-udev             x86_64 248-7.el9               rhel9blc-bad-baseos    1.4 M
 tpm2-tss                 x86_64 3.0.3-4.el9             rhel9blc-bad-baseos    577 k
 trousers                 x86_64 0.3.15-4.el9            rhel9blc-bad-baseos    147 k
 trousers-lib             x86_64 0.3.15-4.el9            rhel9blc-bad-baseos    171 k
 unbound-libs             x86_64 1.13.1-7.el9            rhel9blc-bad-appstream 529 k
 zchunk-libs              x86_64 1.1.9-4.el9             rhel9blc-bad-baseos     47 k
Installing dependencies:
 compat-openssl11         x86_64 1:1.1.1k-1.el9          rhel9blc-bad-baseos    1.5 M

Transaction Summary
======================================================================================
Install   1 Package
Upgrade  65 Packages

Total download size: 40 M

Comment 3 Vladis Dronov 2021-07-02 11:27:23 UTC

though i cannot set ITR here, i'll provide my view on this re: blocker+

> 1. What is the scope of harm if this BZ is not resolved in this release?  Reviewers want to know which RHEL features or
> customers are affected and if it will impact any Layered Product or Hardware partner plans.

the whole RHEL9 FIPS mode is affected, we cannot certify RHEL9 for FIPS with this issue.

> 2. What are the risks associated with resolving this BZ?  Reviewers want to know the scope of retesting, potential regressions

i do not think there is any risk. as soon as core problem is resolved the system should be functioning again. surely, a carefull
testing is required.

> 3. Provide any other details that meet blocker criteria or should be weighed in making a decision (Other releases affected,
> upstream status, business impacts, etc).

We just cannot release even Beta (this is published to Partners, afaik) with thia issue.

Comment 4 Sahana Prasad 2021-07-02 13:19:54 UTC


*** This bug has been marked as a duplicate of bug 1977318 ***

Note You need to log in before you can comment on or make changes to this bug.