Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-105009

fips-provider-next should not be installed by default

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • fips-provider-next-1.2.0-5.el9
    • Yes
    • Important
    • 1
    • rhel-security-crypto
    • 23
    • 24
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25July
    • Hide

      AC1) When compose is installed, fips-provider-next is not installed and openssl-fips-provider nad openssl-fips-provide so are installed.

      AC2) It is possible to swap openssl-fips-provider by fips-provider-next and vice-versa.

      Show
      AC1) When compose is installed, fips-provider-next is not installed and openssl-fips-provider nad openssl-fips-provide so are installed. AC2) It is possible to swap openssl-fips-provider by fips-provider-next and vice-versa.
    • Pass
    • Not Needed
    • Automated
    • Feature
    • Hide
      .New package: `fips-provider-next`

      The `fips-provider-next` package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the `openssl-fips-provider` package is the validated OpenSSL FIPS provider. To switch from ‎`openssl-fips-provider` to ‎`fips-provider-next`:
      ----
      # dnf swap openssl-fips-provider fips-provider-next
      ----
      Show
      .New package: `fips-provider-next` The `fips-provider-next` package provides the next version of the FIPS provider that is submitted to the National Institute of Standards and Technology (NIST) for validation. The package is not installed by default because the `openssl-fips-provider` package is the validated OpenSSL FIPS provider. To switch from ‎`openssl-fips-provider` to ‎`fips-provider-next`: ---- # dnf swap openssl-fips-provider fips-provider-next ----
    • Done
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      RHEL composes (starting with RHEL-9.7.0-20250713.2) now contain the fips-provider-next package, and this package is now being installed instead of instead of openssl-fips-provider/openssl-fips-provider-so which should be selected by default.
       

      What is the impact of this issue to you?

      We need openssl-fips-provider and openssl-fips-provider-so to be installed in order to claim FIPS 140-3 compliance.

      Please provide the package NVR for which the bug is seen:

      fips-provider-next-1.2.0-2.el9

      How reproducible is this bug?:

      100%

      Steps to reproduce

      1. Install a compose.
      2. Check if fips-provider-next is installed 
      3. Check if openssl-fips-provider and openssl-fips-provider are installed

      Expected results

      2. fips-provider-next is not installed

      3. openssl-fips-provider and openssl-fips-provider are installed

      Actual results

      2. fips-provider-next is installed

      3. openssl-fips-provider and openssl-fips-provider are not installed

       

      #  rpm -qa | grep fips
fips-provider-next-1.2.0-2.el9.x86_64

# rpm -q openssl
openssl-3.5.1-2.el9.x86_64

# fips-mode-setup --check
FIPS mode is enabled.

# openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.5.1
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.5.1
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 1.2.0
    status: active

       

              rhn-engineering-ssorce Simo Sorce
              omoris Ondrej Moris
              Malhar Jivrajani
              Simo Sorce Simo Sorce
              Ondrej Moris Ondrej Moris
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: