Bug 2218721 - Find a workaround and document the error "SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled"
Summary: Find a workaround and document the error "SSL connect error (35) : error:1C80...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: virt-v2v
Version: 9.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Richard W.M. Jones
QA Contact: Virtualization Bugs
Jiri Herrmann
URL:
Whiteboard:
Depends On: 2157951 2216256
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-30 02:16 UTC by Xiaodai Wang
Modified: 2023-07-13 16:50 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
See https://bugzilla.redhat.com/show_bug.cgi?id=2188046#c13
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-161249 0 None None None 2023-06-30 02:17:28 UTC

Comment 1 Xiaodai Wang 2023-06-30 02:22:22 UTC 
Repost the bug in the comment and hide some private information.
Description of problem:
Find a workaround and document the error "SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled"
Version-Release number of selected component (if applicable):
virt-v2v-2.3.4-3.el9.x86_64
openssl-3.0.7-13.el9_2.x86_64

How reproducible:
100%

Steps to Reproduce:
I copied the steps from Richard:
(1) Enable FIPS mode:

    https://access.redhat.com/solutions/137833

    # fips-mode-setup --check
    FIPS mode is enabled.

(2) Upgrade openssl to at least openssl-3.0.7-13.el9_2.x86_64.
    I downloaded the RPMs from brew:

    https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2469741

(3) Run virsh to query a guest on a remote VMware server:

  $ virsh -c 'vpx://<user>@x.x.x.x/Datacenter/host/auto-test/MTV/x.x.x.x.redhat.com?no_verify=1' \
        dumpxml mtv-rhel8-sanity
  Enter mtv's password for x.x.x.x: 
  error: failed to connect to the hypervisor
  error: internal error: curl_easy_perform() returned an error: SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled

Actual results:
error: internal error: curl_easy_perform() returned an error: SSL connect error (35) : error:1C8000E9:Provider routines::ems not enabled

Expected results:
It's better to document the workaround to this error.

Additional info:
Comment 2 Richard W.M. Jones 2023-06-30 09:16:05 UTC 
It's not possible to disable this change yet, but there is a bug to track it:
https://bugzilla.redhat.com/show_bug.cgi?id=2216256
"openssl should support disabling the requirement for the extended master secret in FIPS mode"
Comment 3 Hubert Kario 2023-06-30 10:10:53 UTC 
1. The workaround is to upgrade the other side of the connection to support TLS 1.3 or TLS 1.2 with EMS (standards that are 5 and 8 years old at this time)
2. While we might implement a way to relax this specific requirement in FIPS mode, *this will make the resulting connection FIPS non-compliant.*
Comment 4 Klaus Heinrich Kiwi 2023-06-30 15:18:34 UTC 
Looks like the request here is to better document the issue or error message to clarify what is causing it, potential workarounds etc. I actually agree with this bz addressing the Documentation only, while BZ#2216256 addresses the workaround (and accompanying Doc update).

Rich, assigning to you, should we set the DocNeeded here and other fields to make this doc only?
Comment 5 Hubert Kario 2023-06-30 16:29:41 UTC 
There is KB article: https://access.redhat.com/solutions/7018256
Note You need to log in before you can comment on or make changes to this bug.