-
Bug
-
Resolution: Done-Errata
-
Minor
-
None
-
crypto-policies-20231016-1.git77ceb0b.el9
-
Minor
-
sst_security_crypto
-
ssg_security
-
8
-
10
-
1
-
QE ack, Dev ack
-
False
-
-
No
-
Crypto23Q4
-
- OpenSSL doesn't fail to initialize in FIPS:SHA1:NO-ENFORCE-EMS policy.
-
Pass
-
Not Needed
update-crypto-policies --set FIPS:SHA1:NO-ENFORCE-EMS
generates
CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSAPSK:-kRSA:-aDSS:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256 TLS.MinProtocol = TLSv1.2 TLS.MaxProtocol = TLSv1.3 DTLS.MinProtocol = DTLSv1.2 DTLS.MaxProtocol = DTLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1 [openssl_init] alg_section = evp_properties [evp_properties] rh-allow-sha1-signatures = yes Options = RHNoEnforceEMSinFIPS
and Options goes to evp_properties, not to the main section
OpenSSL fails to initialize with
# openssl s_client FATAL: Startup failure (dev note: apps_startup()) for openssl 809B897AB97F0000:error:030000A9:digital envelope routines:alg_module_init:unknow n option:crypto/evp/evp_cnf.c:74:name=Options, value=RHNoEnforceEMSinFIPS 809B897AB97F0000:error:0700006D:configuration file routines:module_run:module in itialization error:crypto/conf/conf_mod.c:270:module=alg_section, value=evp_prop erties retcode=-1
- links to
-
RHEA-2023:120978
crypto-policies enhancement update
- mentioned on
