Description of problem: After https://bugzilla.redhat.com/show_bug.cgi?id=2157951 any C9S (or future RHEL9) system with fips enabled fails when access an httpd server with SSL enabled. In my case that means curl or dnf, i.e.: # curl -L -o /etc/yum.repos.d/delorean-deps.repo https://trunk.rdoproject.org/centos9-antelope/delorean-deps.repo % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (35) error:1C8000E9:Provider routines::ems not enabled or: Errors during downloading metadata for repository 'delorean-antelope-testing': - Curl error (35): SSL connect error for https://trunk.rdoproject.org/centos9-antelope/deps/latest/repodata/repomd.xml [error:1C8000E9:Provider routines::ems not enabled] Error: Failed to download metadata for repo 'delorean-antelope-testing': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried My guess is that httpd/mod_ssl/openssl in RHEL/CentOS7 do not support EMS or at least not by default, my versions are: httpd-2.4.6-98.el7.centos.7.x86_64 mod_ssl-2.4.6-98.el7.centos.7.x86_64 openssl-1.0.2k-26.el7_9.x86_64 Is there any way to enable it or to workaround it somehow from the server side? Best regards, Alfredo
See also https://access.redhat.com/solutions/7018256. FIPS 140-3 Implementation Guidance requires that TLS 1.2 can only be used with the Extended Master Secret extension in modules validated after May 16, 2023 (see "D.Q Transition of the TLS 1.2 KDF to Support the Extended Master Secret"). The best course of action is to upgrade the remote machines to support TLS 1.3 or the extended master secret extension in TLS 1.2.