Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-150460

Make all algorithms have '?' in front of every algorithm in OpenSSL

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.3
    • rhel-10.2
    • crypto-policies
    • None
    • rhel-security-crypto-spades
    • 26
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      This is an OpenSSL-related issue

      Having a FIPS host with the DEFAULT policy is not using the provided groups at all, and the reason is that in the policy groups, we have X448 (an algorithm not recognizable by FIPS openssl), so the whole config line is thrown away. 

      We can fix that by adding '?' before this algorithm (and every other, for what matters) so to use it only if it is available.

      What is the impact of this issue to you?

      low

      Please provide the package NVR for which the bug is seen:

      crypto-policies-20251127-1.git27c2902.el10

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. Have a FIPS host
      2. Change crypto-policy to DEFAULT
      3. Connect to a HybridPQ-only server

      Expected results

      Connection succeeds since Hybrid PQ algorithms are in the policy groups

      Actual results

      Connections fail with 'no common key shares found' error

              asosedki@redhat.com Alexander Sosedkin
              rh-ee-gpantela Georgios Stavros Pantelakis
              Alexander Sosedkin Alexander Sosedkin
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: