Loading...

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
- FIPS

Regression:
None
Severity:
Important

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Experience:

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When attempting to use dnf to install packages or list repositories in RHEL 9.3 under a FIPS:OSPP hardening profile, it returns the following error:

Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms':                                                                   - Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure]                                                                                                              Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

This appears to be getting caused by the following line in /usr/share/crypto-policies/policies/modules/OSPP.pmod
```
group = -SECP256R1 -FFDHE-2048 
```
If you comment out this line then re-run update-crypto-policies --set FIPS:OSPP and reboot, dnf functionality will be returned.

Please provide the package NVR for which bug is seen:

crypto-policies-20230731-1.git94f0e2c.el9_3.1.noarch

How reproducible:

Consistently repeatable

Set up a RHEL 9.3 minimal install
dnf update -y (or use a CDN/boot iso install to get latest packages) to install crypto-policies-20230731-1.git94f0e2c.el9_3.1.noarch
Set up FIPS mode as per our documentation
1. fips-mode-setup --enable
2. reboot
Enable FIPS:OSPP
1. update-crypto-policies --set FIPS:OSPP
2. reboot

Verify FIPS:OSPP hardening

update-crypto-policies --show; fips-mode-setup --check

[root@rhel9.3 ~]# fips-mode-setup --check; update-crypto-policies --show
FIPS mode is enabled.
FIPS:OSPP

See failure when requesting dnf repos
1. dnf clean all; dnf repolist -v

Expected results

[root@rhel9.3 ~]# dnf clean all; dnf repolist -v                                                                                               Updating Subscription Management repositories.                                                                                                     0 files removed                                                                                                                                    Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, system-upgrade, uploadprofile       Updating Subscription Management repositories.                                                                                                     DNF version: 4.14.0                                                                                                                                cachedir: /var/cache/dnf                                                                                                                           Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)                                                               17 MB/s |  15 MB     00:00     Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)                                                            22 MB/s |  27 MB     00:01     Last metadata expiration check: 0:00:02 ago on Tue 28 Nov 2023 08:30:28 PM EST.                                                                    Repo-id            : rhel-9-for-x86_64-appstream-rpms                                                                                              Repo-name          : Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs)                                                                      Repo-revision      : 1701100150                                                                                                                    Repo-updated       : Mon 27 Nov 2023 10:49:10 AM EST                                                                                               Repo-pkgs          : 14,508                                                                                                                        Repo-available-pkgs: 14,225                                                                                                                        Repo-size          : 46 G                                                                                                                          Repo-baseurl       : https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os                                                               Repo-expire        : 86,400 second(s) (last: Tue 28 Nov 2023 08:30:28 PM EST)                                                                      Repo-filename      : /etc/yum.repos.d/redhat.repo                                                                                                                                                                                                                                                     Repo-id            : rhel-9-for-x86_64-baseos-rpms                                                                                                 Repo-name          : Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)                                                                         Repo-revision      : 1700562112                                                                                                                    Repo-updated       : Tue 21 Nov 2023 05:21:52 AM EST                                                                                               Repo-pkgs          : 4,953                                                                                                                         Repo-available-pkgs: 4,953                                                                                                                         Repo-size          : 8.1 G                                                                                                                         Repo-baseurl       : https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os                                                                  Repo-expire        : 86,400 second(s) (last: Tue 28 Nov 2023 08:30:25 PM EST)                                                                      Repo-filename      : /etc/yum.repos.d/redhat.repo                                                                                                  Total packages: 19,461

Actual results

[root@rhel9.3 ~]# dnf clean all; dnf repolist -v                                                                                               Updating Subscription Management repositories.                                                                                                     0 files removed                                                                                                                                    Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, system-upgrade, uploadprofile       Updating Subscription Management repositories.                                                                                                     DNF version: 4.14.0                                                                                                                                cachedir: /var/cache/dnf                                                                                                                           Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)                                                              0.0  B/s |   0  B     00:00     Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms':                                                                   - Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure]                                                                                                              Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried   
[root@rhel9.3 ~]#
[root@rhel9.3 ~]#                                                           
[root@rhel9.3 ~]# fips-mode-setup --check; update-crypto-policies --show
FIPS mode is enabled.
FIPS:OSPP

links to

Discussions 7046651

KCS - sslv3 alert handshake failure with FIPS:OSPP Hardened RHEL 9.3

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates