Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Minor
Fix Version/s: rhel-9.4
Affects Version/s: None
Component/s: crypto-policies
Labels:
- Accepted
- CY23Q4

Fixed in Build:
crypto-policies-20231016-1.git77ceb0b.el9
Regression:
None
Severity:
Low
Epic Link:
CRYPTO-11831
sprint_count:
1

Pool Team:

rhel-sst-security-crypto
Sub-System Group:

ssg_security

Dev Target Milestone:
8
Internal Target Milestone:
10
Story Points:
1
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
Crypto23Q4

Acceptance Criteria:
1. OpenSSL doesn't fail to initialize in FIPS:SHA1:NO-ENFORCE-EMS policy.
Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/120978
Gating Tests:

Not Needed
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

update-crypto-policies --set FIPS:SHA1:NO-ENFORCE-EMS

generates

CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:-kRSAPSK:-kRSA:-aDSS:-CHACHA20:-SHA256:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
TLS.MinProtocol = TLSv1.2
TLS.MaxProtocol = TLSv1.3
DTLS.MinProtocol = DTLSv1.2
DTLS.MaxProtocol = DTLSv1.2
SignatureAlgorithms = ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1

[openssl_init]
alg_section = evp_properties

[evp_properties]
rh-allow-sha1-signatures = yes
Options = RHNoEnforceEMSinFIPS

and Options goes to evp_properties, not to the main section

OpenSSL fails to initialize with

# openssl s_client
FATAL: Startup failure (dev note: apps_startup()) for openssl
809B897AB97F0000:error:030000A9:digital envelope routines:alg_module_init:unknow
n option:crypto/evp/evp_cnf.c:74:name=Options, value=RHNoEnforceEMSinFIPS
809B897AB97F0000:error:0700006D:configuration file routines:module_run:module in
itialization error:crypto/conf/conf_mod.c:270:module=alg_section, value=evp_prop
erties retcode=-1

links to

RHEA-2023:120978 crypto-policies enhancement update

Upstream MR

mentioned on

Merge request - Update from upstream (:SHA1:NO-ENFORCE-EMS, ECDSAPxxxSHAxxx):

Assignee:: Alexander Sosedkin

Reporter:: Alexander Sosedkin

Developer:: Alexander Sosedkin

QA Contact:: Ondrej Moris

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2023/09/29 9:37 AM

Updated:: 2024/09/23 7:20 PM

Resolved:: 2024/04/30 10:15 AM

Dev Target end:: 2023/10/23

Target end:: 2023/11/06

Release Date:: 2024/04/30

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates