Details
-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
-
False
Description
https server in trunk.rdoproject.org does not support negotiation of EMS extension for TLS 1.2 connections.
This has not been a problem in the past, but now it's enforced by FIPS 140-3 Implementation Guidance and this requirement has been introduced in openssl-3.0.7-17.el9.x86_64 in C9S https://bugzilla.redhat.com/show_bug.cgi?id=2157951
In practical terms, this means that C9S systems with fips enabled are not able to install software from https://trunk.rdoproject.org
This has caused issue in upstream https://bugs.launchpad.net/neutron/+bug/2020661 . Although we are proposing to not use trunk.r.o in a devstack patch, i think this is a limitation in trunk.r.o that we should fix.
A bz has been created to check if there is a way to enable EMS in httpd/mod_ssl in RHEL7 https://bugzilla.redhat.com/show_bug.cgi?id=2209766
