Bug 994634 - ocspclnt doesn't work in FIPS mode [rhel-5]
ocspclnt doesn't work in FIPS mode [rhel-5]
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss (Show other bugs)
x86_64 Linux
low Severity low
: rc
: ---
Assigned To: nss-nspr-maint
BaseOS QE Security Team
Depends On:
Blocks: 1049888 1149240
  Show dependency treegraph
Reported: 2013-08-07 12:33 EDT by Hubert Kario
Modified: 2017-04-04 16:43 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1149240 (view as bug list)
Last Closed: 2017-04-04 16:43:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 Hubert Kario 2013-08-08 07:42:22 EDT
Problem caused by the fact that NSS ignores system wide FIPS mode.

See bug 883460 and bug 852023.

After setting the NSS database to fips mode using
modutil -fips true -force -dbdir certdb/
The ocspclnt is unable to verify the signature of certificate or CA, it reports following error without sending a single OCSP query:

Verification of certificate "server" failed.  Reason:
Peer's certificate has an invalid signature.
Comment 4 RHEL Product and Program Management 2014-01-22 11:27:37 EST
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 9 RHEL Product and Program Management 2014-07-15 20:26:16 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 11 Chris Williams 2017-04-04 16:43:48 EDT
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exits Production Phase 3 and enters Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  The specific support and services provided during each phase are described in detail at http://redhat.com/rhel/lifecycle

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.