994634 – ocspclnt doesn't work in FIPS mode [rhel-5]

Bug 994634 - ocspclnt doesn't work in FIPS mode [rhel-5]

Summary: ocspclnt doesn't work in FIPS mode [rhel-5]

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	5.10
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	nss-nspr-maint
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1049888 1149240
TreeView+	depends on / blocked

Reported:	2013-08-07 16:33 UTC by Hubert Kario
Modified:	2017-04-04 20:43 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1149240 (view as bug list)
Environment:
Last Closed:	2017-04-04 20:43:48 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	852023	0	high	CLOSED	FIPS mode detection does not work	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	883460	1	None	None	None	2021-01-20 06:05:38 UTC

Internal Links: 852023 883460

Comment 1 Hubert Kario 2013-08-08 11:42:22 UTC

Problem caused by the fact that NSS ignores system wide FIPS mode.

See bug 883460 and bug 852023.

After setting the NSS database to fips mode using
modutil -fips true -force -dbdir certdb/
The ocspclnt is unable to verify the signature of certificate or CA, it reports following error without sending a single OCSP query:

Verification of certificate "server" failed.  Reason:
Peer's certificate has an invalid signature.

Comment 4 RHEL Program Management 2014-01-22 16:27:37 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 9 RHEL Program Management 2014-07-16 00:26:16 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 11 Chris Williams 2017-04-04 20:43:48 UTC

Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exits Production Phase 3 and enters Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  The specific support and services provided during each phase are described in detail at http://redhat.com/rhel/lifecycle

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.