RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 983890 - OpenSSL Errors in FIPS mode don't get any clue what got wrong
Summary: OpenSSL Errors in FIPS mode don't get any clue what got wrong
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-12 07:45 UTC by Honza Horak
Modified: 2013-08-21 10:19 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-08-21 10:19:08 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Honza Horak 2013-07-12 07:45:22 UTC
Description of problem:
A bit related to bug #876424 and originated from bug #877124. MySQL/MariaDB seems to do everything it can to give users enough information what got wrong during SSL connection set-up, since it calls ERR_error_string_n(), which should return human-readable text. Well, it is actually what it does, but when we try to use SSL connection in FIPS mode, we get "error:00000001:lib(0):func(0):reason(1)", which still doesn't give any clue what got wrong.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-11.el7.x86_64
mariadb-5.5.31-4.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Create certs/keys according to http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
2. Configure daemon/client to use SSL
3. $ mysql

Actual results:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Expected results:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1):Cipher XXX is not allowed in FIPS mode.

Comment 2 Tomas Mraz 2013-07-12 07:49:53 UTC
Hmm this is very weird. The error number/lib/func/reason does not make any sense.

I will try to reproduce.

Comment 3 Tomas Mraz 2013-07-12 12:50:28 UTC
Unfortunately I cannot reproduce - the defaults work for me without problems.

SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+

This is something that works and should work given the DH key length is now 1024 bits.

Comment 4 Honza Horak 2013-08-21 10:19:08 UTC
Sorry for the false positive report, the error I saw was most probably caused by the following [1]:

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:

ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)

[1] http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html


Note You need to log in before you can comment on or make changes to this bug.