Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.13, 4.14, 4.15, 4.16, 4.17
Component/s: Bare Metal Hardware Provisioning / baremetal-operator
Labels:
- TLSv1.3
- fips
- triaged

Severity:
Critical
Regression:
No
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
In OCP 4.13.5, OpenSSL in FIPS mode started enforcing a requirement for the EMS extension in TLS 1.2 or a usage of TLS 1.3. However, for HPE hardware, older versions of BMC firmware support neither EMS nor TLS 1.3. Customers need to update the firmware of their HPE iLO to at least version 3.04 if they need FIPS mode.

Show
In OCP 4.13.5, OpenSSL in FIPS mode started enforcing a requirement for the EMS extension in TLS 1.2 or a usage of TLS 1.3. However, for HPE hardware, older versions of BMC firmware support neither EMS nor TLS 1.3. Customers need to update the firmware of their HPE iLO to at least version 3.04 if they need FIPS mode.
Release Note Type:
Known Issue
Release Note Status:
In Progress

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:
PX Priority Data:
PX Review Complete:

Description of problem:

In OCP 4.13.5, OpenSSL in FIPS mode started enforcing a requirement for the EMS extension in TLS 1.2, which golang 1.19 does not yet support.

Updating the etcd client library removed the cap on the TLS version and allowed BMO to connect to ironic using TLS 1.3 (OCPBUGS-16013).

However, for HP hardware, this fix is still not working because ILO5 latest firmware (2.96) still doesn't support TLS1.3 nor TLS1.2 EMS.

Version-Release number of selected component (if applicable):

4.13.x

How reproducible:

IPI BM + FIPS on real HP hardware like ProLiant DL380 Gen10

Steps to Reproduce:

1.
2.
3.

Actual results:

Provisioning failure

Expected results:

Successful provisioning

Additional info:

https://access.redhat.com/solutions/7018256

impacts account

OCPBUGS-16013 Failed to install cluster with IPI baremetal with fips enable

Closed

Assignee:: Dmitry Tantsur

Reporter:: Pedro Jose Amoedo Martinez

QA Contact:: Pedro Jose Amoedo Martinez

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2023/08/25 2:04 PM

Updated:: 2024/06/10 11:58 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates