2224347 – FIPS-enabled RHEL9 clients are unable to communicate with Satellite 6.11 on RHEL 7

Bug 2224347 - FIPS-enabled RHEL9 clients are unable to communicate with Satellite 6.11 on RHEL 7

Summary: FIPS-enabled RHEL9 clients are unable to communicate with Satellite 6.11 on R...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	6.11.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Satellite QE Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-07-20 13:19 UTC by Ganesh Payelkar
Modified:	2023-08-02 00:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SAT-19211	0	None	None	None	2023-07-27 13:26:44 UTC
Red Hat Knowledge Base (Solution)	7025030	0	None	None	None	2023-07-21 13:37:11 UTC

Description Ganesh Payelkar 2023-07-20 13:19:36 UTC

Description of problem:

FIPS-enabled RHEL9 clients are unable to communicate with Satellite 6.11


Version-Release number of selected component (if applicable):
Satellite server (RHEL7/6.11.5.4) 
Satellite server (RHEL7satellite-6.10)

How reproducible: 
Apply RHSA-2023:3722 on RHEL 9 


Steps to Reproduce:
1. Enabled fips
2. yum updateinfo --installed RHSA-2023:3722
3. subscription-manager refresh ; yum repolist

Actual results:

# update-crypto-policies --show
FIPS

# cat /proc/sys/crypto/fips_enabled
1

# fips-mode-setup --check
FIPS mode is enabled.


# yum updateinfo --info RHSA-2023:3722

# subscription-manager refresh ; yum repolist

Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)                                                                                                                              0.0  B/s |   0  B     00:00    
Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms':
  - Curl error (35): SSL connect error for https://satellite.example.com/pulp/content/Default_Organization/Library/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:1C8000E9:Provider routines::ems not enabled]
Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

Expected results:

Do we have any workaround or upgrade underlying OS RHEL 7 to RHEL 8 will be the only option? 

Additional info:

# yum list installed  |grep -i openssl
openssl.x86_64                                             1:3.0.7-16.el9_2              @rhel-9-for-x86_64-baseos-rpms  
openssl-libs.x86_64                                        1:3.0.7-16.el9_2              @rhel-9-for-x86_64-baseos-rpms  

The Extended Master Secret TLS Extension is now enforced on FIPS-enabled systems

With the release of the RHSA-2023:3722 advisory, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.

Comment 8 Eric Helms 2023-07-27 13:54:50 UTC

This issue only affects Satellite 6.11 running on RHEL 7 and there is no available work around. Users encountering this issue will need to upgrade to at least Satellite 6.11 running on RHEL 8.

Note You need to log in before you can comment on or make changes to this bug.