Uploaded image for project: 'Migration Toolkit for Virtualization'
  1. Migration Toolkit for Virtualization
  2. MTV-633

FIPS 140-3 IG requires that only EMS KDF is in use for TLS 1.2 with modules validated after May 2023

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Critical Critical
    • 2.5.0
    • 2.4.0
    • Documentation
    • None
    • False
    • None
    • False

      The `Extended Master Secret` TLS Extension is now enforced on FIPS-enabled systems

      With the release of the link:https://access.redhat.com/errata/RHSA-2023:3722[RHSA-2023:3722] advisory, the TLS `Extended Master Secret` (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.

      Legacy clients that do not support EMS or TLS 1.3 now cannot connect to FIPS servers running on RHEL 9. Similarly, RHEL 9 clients in FIPS mode cannot connect to servers that only support TLS 1.2 without EMS. This in practice means that these clients cannot connect to servers on RHEL 6, RHEL 7 and non-RHEL legacy operating systems. This is because the legacy 1.0.x versions of OpenSSL do not support EMS or TLS 1.3.

      For more information, see link:https://access.redhat.com/solutions/7018256[TLS Extension "Extended Master Secret" enforced with Red Hat Enterprise Linux 9.2].

       

      This change prevents connecting to VMware servers which stops all kinds of things such as backups and V2V conversions: see bug 2218721

       

      Arik explains the problem as "
      VMware customers that consider moving to OpenShift are unlikely to upgrade their vSphere environment to a version that supports TLS 1.3 or TLS 1.2 with EMS before transitioning - if we can't come up with an easy way to address this, it would likely be a serious blow to the effort of easing migrations from VMware using MTV and may impact ongoing POCs.

      Jochen, we faced this issue before releasing MTV 2.4.2 and eventually found a workaround by downgrading the version of the UBI9 image we use for the conversion pod in order to avoid getting this breaking change.
      We can't go back to EL8 - we need the improvements that exist in virt-v2v on EL9 (like installation of qemu-guest-agent) and I don't think we can avoid rebasing the EL9 based image of the conversion pod. To work with an updated version of openssl we would have to disable FIPS and as far as I understand, there's no easy way to do that "temporarily" (even if we install MTV on an OCP cluster with FIPS disabled it won't help us as the target cluster we migrate to have to be set with FIPS disabled).
      I realize the motivation for pushing for more secured settings but I think we need to find a way to work with existing versions of vSphere that are common in the field, at least with an easy workaround - in my opinion, that's a blocker for MTV 2.5"
       
      q
      https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/administration_guide/index#enabling-fips_in_rhv

       

       

              richard.hoch Richard Hoch
              rhn-support-anarnold A Arnold
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: