Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-105009

fips-provider-next should not be installed by default

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • fips-provider-next-1.2.0-5.el9
    • Yes
    • Important
    • 1
    • rhel-security-crypto
    • 23
    • 24
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25July
    • Hide

      AC1) When compose is installed, fips-provider-next is not installed and openssl-fips-provider nad openssl-fips-provide so are installed.

      AC2) It is possible to swap openssl-fips-provider by fips-provider-next and vice-versa.

      Show
      AC1) When compose is installed, fips-provider-next is not installed and openssl-fips-provider nad openssl-fips-provide so are installed. AC2) It is possible to swap openssl-fips-provider by fips-provider-next and vice-versa.
    • Pass
    • Not Needed
    • Automated
    • Feature
    • Hide
      Feature, enhancement:

      The fips-provider-next package provides the next version of the fips provider that is going to be validated. It is not installed by default since openssl-fips-provider is the validated openssl FIPS provider. The correct way of switching from openssl-fips-provider to fips-provider-next is to run the following command: dnf swap openssl-fips-provider fips-provider-next.

      Reason:
      Result:
      Show
      Feature, enhancement: The fips-provider-next package provides the next version of the fips provider that is going to be validated. It is not installed by default since openssl-fips-provider is the validated openssl FIPS provider. The correct way of switching from openssl-fips-provider to fips-provider-next is to run the following command: dnf swap openssl-fips-provider fips-provider-next. Reason: Result:
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      RHEL composes (starting with RHEL-9.7.0-20250713.2) now contain the fips-provider-next package, and this package is now being installed instead of instead of openssl-fips-provider/openssl-fips-provider-so which should be selected by default.
       

      What is the impact of this issue to you?

      We need openssl-fips-provider and openssl-fips-provider-so to be installed in order to claim FIPS 140-3 compliance.

      Please provide the package NVR for which the bug is seen:

      fips-provider-next-1.2.0-2.el9

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Install a compose.
      2. Check if fips-provider-next is installed 
      3. Check if openssl-fips-provider and openssl-fips-provider are installed

      Expected results

      2. fips-provider-next is not installed

      3. openssl-fips-provider and openssl-fips-provider are installed

      Actual results

      2. fips-provider-next is installed

      3. openssl-fips-provider and openssl-fips-provider are not installed

       

      #  rpm -qa | grep fips
fips-provider-next-1.2.0-2.el9.x86_64

# rpm -q openssl
openssl-3.5.1-2.el9.x86_64

# fips-mode-setup --check
FIPS mode is enabled.

# openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.5.1
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 1.2.0
    status: active

       

              rhn-engineering-ssorce Simo Sorce
              omoris Ondrej Moris
              Simo Sorce Simo Sorce
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: