Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2120150

Summary: Use of .include seems incorrect
Product: Red Hat Enterprise Linux 9 Reporter: Dave Sugar <dsugar>
Component: scap-security-guideAssignee: Watson Yuuma Sato <wsato>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.0CC: cllang, ggasparb, mhaicman, mlysonek, openscap-maint, vpolasek
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-23 11:11:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Sugar 2022-08-22 01:45:03 UTC 
Description of problem:
In the default file /etc/pki/tls/openssl.cnf installed with openssl-libs-3.0.1-23.el9_0.x86_64.rpm the use of .include seems incorrect.  ON line 75, there is a ".include = /etc/crypto-policies/back-ends/opensslcnf.config".  But the '=' seems like it shouldn't be there.  Based on the example at the top of the file and based on the fact this seems to be causing a STIG SCAP test (xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy CCE-83452-3)
 to fail.

Version-Release number of selected component (if applicable):
3.0.1-23

How reproducible:
Every time

Steps to Reproduce:
1. install (or un-cpio) openssl-libs rpm
2. examine /etc/pki/tls/openssl.cnf
3.

Actual results:
the SCAP test fails due to the equals sign

Expected results:
The SCAP test passes with the default config file

Additional info:
I have the following scap-security-guide-0.1.60-6.el9_0.noarch.rpm installed
This looks correct in the RHEL8 version openssl-libs-1.1.1k-7.el8_6.x86_64.rpm
Comment 1 Clemens Lang 2022-08-23 09:47:09 UTC 
Please see the OpenSSL config manpage, which states:

> Two directives can be used to control the parsing of configuration files:
> B<.include> and B<.pragma>.
> 
> For compatibility with older versions of OpenSSL, an equal sign after the
> directive will be ignored.  Older versions will treat it as an assignment,
> so care should be taken if the difference in semantics is important.
> 
> A file can include other files using the include syntax:
> 
>   .include [=] pathname

The equals sign is legal in this place, and the OpenSSL manpage documents that.

OpenSSL 1.1.1k also documents support for this:

> Other files can be included using the B<.include> directive followed
> by a path. If the path points to a directory all files with
> names ending with B<.cnf> or B<.conf> are included from the directory.
> Recursive inclusion of directories from files in such directory is not
> supported. That means the files in the included directory can also contain
> B<.include> directives but only inclusion of regular files is supported
> there. The inclusion of directories is not supported on systems without
> POSIX IO support.
> 
> It is strongly recommended to use absolute paths with the B<.include>
> directive. Relative paths are evaluated based on the application current
> working directory so unless the configuration file containing the
> B<.include> directive is application specific the inclusion will not
> work as expected.
> 
> There can be optional B<=> character and whitespace characters between
> B<.include> directive and the path which can be useful in cases the
> configuration file needs to be loaded by old OpenSSL versions which do
> not support the B<.include> syntax. They would bail out with error
> if the B<=> character is not present but with it they just ignore
> the include.

It seems to me like the scap tests should be adjusted.