Bug 604563 - metalink do not work in yum when in FIPS mode
metalink do not work in yum when in FIPS mode
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: yum (Show other bugs)
6.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: James Antill
BaseOS QE Security Team
:
Depends On:
Blocks: 582655
  Show dependency treegraph
 
Reported: 2010-06-16 04:48 EDT by Jan Hutař
Modified: 2014-01-21 01:18 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-15 06:47:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2010-06-16 04:48:53 EDT
Description of problem:
When I configured repository with baseurl= being an metalink in RHEL6 in FIPS mode, yum fails to download it.


Version-Release number of selected component (if applicable):
yum-3.2.27-9.el6.noarch
fipscheck-1.2.0-4.1.el6.i686
kernel-2.6.32-28.el6.i686
kernel-2.6.32-33.el6.i686


How reproducible:
always (tested on 1 i386 RHEL6 system)


Steps to Reproduce:
1. # vim /etc/yum.repos.d/fedora-meta.repo
   [fedora-meta]
   name=Fedora 12 i386
   failovermethod=priority
   mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=fedora-12&arch=i386
   enabled=1
   metadata_expire=7d
   gpgcheck=1
   gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$basearch
2. # yum repolist
   Loaded plugins: aliases, changelog, downloadonly, presto, protect-packages, refresh-packagekit, rhnplugin, security, tmprepo,
                 : verify, versionlock
   This system is not registered with RHN.
   RHN support will be disabled.
   fedora-meta/metalink                            |  20 kB     00:00     
   fips.c(152): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
   Aborted (core dumped)


Actual results:
yum fails to download metalink


Expected results:
should work


Additional info:
This was mentioned in:
  https://bugzilla.redhat.com/show_bug.cgi?id=541974#c5
Comment 1 RHEL Product and Program Management 2010-06-16 04:53:53 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 James Antill 2010-06-16 10:10:01 EDT
Can we get a backtrace ... or access to a fips machine, as I can't see where we are accessing md5.
Comment 4 Jan Hutař 2010-07-15 06:47:54 EDT
Hello,
you are right. I have re-checked with these versions:

kernel-2.6.32-44.el6.i686
fipscheck-lib-1.2.0-4.1.el6.i686
fipscheck-1.2.0-4.1.el6.i686
yum-3.2.27-12.el6.noarch

and I do not see the problem any more. Maybe before I have forgot to run `prelink -u -a; rpm -e prelink` before switching to FIPS?

Thank you and sorry for a mess,
Jan

Note You need to log in before you can comment on or make changes to this bug.