2220915 – RHEL 7.9 client installation fails in FIPS mode with 9.2 server

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2220915 - RHEL 7.9 client installation fails in FIPS mode with 9.2 server

Summary: RHEL 7.9 client installation fails in FIPS mode with 9.2 server

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Florence Blanc-Renaud
QA Contact:	ipa-qe
Docs Contact:	Filip Hanzelka
URL:
Whiteboard:
Depends On:	2216257
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-06 13:45 UTC by Florence Blanc-Renaud
Modified:	2023-09-18 22:58 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.Installing a RHEL 7 IdM client with a RHEL 9.2+ IdM server in FIPS mode fails due to EMS enforcement The TLS `Extended Master Secret` (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in accordance with FIPS-140-3 requirements. However, the `openssl` version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later fails. If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy: ---- # update-crypto-policies --set FIPS:NO-ENFORCE-EMS ---- Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client succeeds.
Clone Of:
Environment:
Last Closed:	2023-09-18 22:58:56 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10120	None	None	None	2023-07-06 13:46:10 UTC
Red Hat Issue Tracker	RHEL-4955	None	Migrated	None	2023-09-18 22:55:55 UTC
Red Hat Issue Tracker	RHELPLAN-161690	None	None	None	2023-07-06 13:46:14 UTC

Description Florence Blanc-Renaud 2023-07-06 13:45:16 UTC

Description of problem:
Installation of a RHEL 7.9 client fails in FIPS mode with a RHEL 9.2 server.

Version-Release number of selected component (if applicable):
Client:
# rpm -qa ipa-client openssl
ipa-client-4.6.8-5.el7_9.14.x86_64
openssl-1.0.2k-26.el7_9.x86_64

Server:
# rpm -qa ipa-server openssl
openssl-3.0.7-16.el9_2.x86_64
ipa-server-4.10.1-7.el9_2.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Install a RHEL 9.2 server in FIPS mode
ipa-server-install --domain ipa.test --realm IPA.TEST -a password - password -U
2. Install a RHEL 7.9 client in FIPS mode
ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password password -U

Actual results:
The client installation fails due to a SSL handshake failure:

# ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U
WARNING: ntpd time&date synchronization service will not be configured as
conflicting service (chronyd) is enabled
Use --force-ntpd option to disable it and force configuration of ntpd

Client hostname: client.ipa.test
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: server.ipa.test
BaseDN: dc=ipa,dc=test

Skipping synchronizing time with NTP server.
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.TEST
    Issuer:      CN=Certificate Authority,O=IPA.TEST
    Valid From:  2023-07-06 12:52:19
    Valid Until: 2043-07-06 12:52:19

Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
trying https://server.ipa.test/ipa/json
[try 1]: Forwarding 'schema' to json server 'https://server.ipa.test/ipa/json'
cannot connect to 'https://server.ipa.test/ipa/json': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information


Expected results:
Client installation should succeed.

Additional info:
This issue is related to the change done on openssl side with Bug 2188046 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode [rhel-9.2.0.z] 

In FIPS mode, if the server is installed with openssl-3.0.7-16.el9_2, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections.
RHEL 7.9 clients can communicate only using TLS 1.2 but don't support this extension. RHEL 8.x clients support TLS 1.2 and TLS 1.3 and are not impacted.

The direct consequence is that RHEL 7.9 clients cannot join a RHEL 9.2+ server in FIPS mode. This limitation should be documented.

Comment 5 Julien Rische 2023-07-10 14:34:11 UTC

This error occurs in the context of a RHEL 7.9 client installation, but based on the error, we can probably expect it to happen for all HTTPS API requests (not just during the installation process):

cannot connect to 'https://server.ipa.test/ipa/json': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)

Current deployments are very likely to be affected too.

Comment 6 Clemens Lang 2023-07-10 14:44:45 UTC

That's correct. NIST now requires that modules submitted for FIPS certification after May 16th, 2023, enforce the extended master secret in TLS 1.2, or use TLS 1.3. RHEL 7 does not support TLS 1.3 or the extended master secret. See also https://access.redhat.com/solutions/7018256 which explains this.

To put it in a different way: modules submitted for FIPS certification after May 16th, 2023, can no longer talk to RHEL 7 servers using TLS while being FIPS-compliant.

Comment 19 RHEL Program Management 2023-09-18 22:53:55 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 20 RHEL Program Management 2023-09-18 22:58:56 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.