First Last Prev Next    This bug is not in your last search results.
Bug 983890 - OpenSSL Errors in FIPS mode don't get any clue what got wrong
OpenSSL Errors in FIPS mode don't get any clue what got wrong
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-12 03:45 EDT by Honza Horak
Modified: 2013-08-21 06:19 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-21 06:19:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Honza Horak 2013-07-12 03:45:22 EDT 
Description of problem:
A bit related to bug #876424 and originated from bug #877124. MySQL/MariaDB seems to do everything it can to give users enough information what got wrong during SSL connection set-up, since it calls ERR_error_string_n(), which should return human-readable text. Well, it is actually what it does, but when we try to use SSL connection in FIPS mode, we get "error:00000001:lib(0):func(0):reason(1)", which still doesn't give any clue what got wrong.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-11.el7.x86_64
mariadb-5.5.31-4.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Create certs/keys according to http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
2. Configure daemon/client to use SSL
3. $ mysql

Actual results:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)

Expected results:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1):Cipher XXX is not allowed in FIPS mode.
Comment 2 Tomas Mraz 2013-07-12 03:49:53 EDT 
Hmm this is very weird. The error number/lib/func/reason does not make any sense.

I will try to reproduce.
Comment 3 Tomas Mraz 2013-07-12 08:50:28 EDT 
Unfortunately I cannot reproduce - the defaults work for me without problems.

SHOW STATUS LIKE 'Ssl_cipher';
+---------------+--------------------+
| Variable_name | Value              |
+---------------+--------------------+
| Ssl_cipher    | DHE-RSA-AES256-SHA |
+---------------+--------------------+

This is something that works and should work given the DH key length is now 1024 bits.
Comment 4 Honza Horak 2013-08-21 06:19:08 EDT 
Sorry for the false positive report, the error I saw was most probably caused by the following [1]:

Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL. A typical error in this case is:

ERROR 2026 (HY000): SSL connection error:
error:00000001:lib(0):func(0):reason(1)

[1] http://dev.mysql.com/doc/refman/5.5/en/creating-ssl-certs.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.