Description of problem: FIPS-enabled RHEL9 clients are unable to communicate with Satellite 6.11 Version-Release number of selected component (if applicable): Satellite server (RHEL7/6.11.5.4) Satellite server (RHEL7satellite-6.10) How reproducible: Apply RHSA-2023:3722 on RHEL 9 Steps to Reproduce: 1. Enabled fips 2. yum updateinfo --installed RHSA-2023:3722 3. subscription-manager refresh ; yum repolist Actual results: # update-crypto-policies --show FIPS # cat /proc/sys/crypto/fips_enabled 1 # fips-mode-setup --check FIPS mode is enabled. # yum updateinfo --info RHSA-2023:3722 # subscription-manager refresh ; yum repolist Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 0.0 B/s | 0 B 00:00 Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms': - Curl error (35): SSL connect error for https://satellite.example.com/pulp/content/Default_Organization/Library/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:1C8000E9:Provider routines::ems not enabled] Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried Expected results: Do we have any workaround or upgrade underlying OS RHEL 7 to RHEL 8 will be the only option? Additional info: # yum list installed |grep -i openssl openssl.x86_64 1:3.0.7-16.el9_2 @rhel-9-for-x86_64-baseos-rpms openssl-libs.x86_64 1:3.0.7-16.el9_2 @rhel-9-for-x86_64-baseos-rpms The Extended Master Secret TLS Extension is now enforced on FIPS-enabled systems With the release of the RHSA-2023:3722 advisory, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.
This issue only affects Satellite 6.11 running on RHEL 7 and there is no available work around. Users encountering this issue will need to upgrade to at least Satellite 6.11 running on RHEL 8.