Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-18124

IPI BM + FIPS not working with HP hardware due to ILO5 TLS limitation

XMLWordPrintable

    • Critical
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      In OCP 4.13.5, OpenSSL in FIPS mode started enforcing a requirement for the EMS extension in TLS 1.2, which golang 1.19 does not yet support.

Updating the etcd client library removed the cap on the TLS version and allowed BMO to connect to ironic using TLS 1.3 (OCPBUGS-16013).

However, for HP hardware, this fix is still not working because ILO5 latest firmware (2.96) still doesn't support TLS1.3 nor TLS1.2 EMS.

      Version-Release number of selected component (if applicable):

      4.13.x

      How reproducible:

      IPI BM + FIPS on real HP hardware like ProLiant DL380 Gen10

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Provisioning failure

      Expected results:

      Successful provisioning

      Additional info:

      https://access.redhat.com/solutions/7018256

            rhn-engineering-dtantsur Dmitry Tantsur
            rhn-support-pamoedom Pedro Jose Amoedo Martinez
            Jad Haj Yahya Jad Haj Yahya
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: