Details
Normal Description
What were you trying to do that didn't work?
- When attempting to use dnf to install packages or list repositories in RHEL 9.3 under a FIPS:OSPP hardening profile, it returns the following error:
Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms': - Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure] Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
- This appears to be getting caused by the following line in /usr/share/crypto-policies/policies/modules/OSPP.pmod
group = -SECP256R1 -FFDHE-2048
If you comment out this line then re-run update-crypto-policies --set FIPS:OSPP and reboot, dnf functionality will be returned.
Please provide the package NVR for which bug is seen:
- crypto-policies-20230731-1.git94f0e2c.el9_3.1.noarch
How reproducible:
Consistently repeatable
- Set up a RHEL 9.3 minimal install
- dnf update -y (or use a CDN/boot iso install to get latest packages) to install crypto-policies-20230731-1.git94f0e2c.el9_3.1.noarch
- Set up FIPS mode as per our documentation
- fips-mode-setup --enable
- reboot
- Enable FIPS:OSPP
- update-crypto-policies --set FIPS:OSPP
- reboot
- Verify FIPS:OSPP hardening
- update-crypto-policies --show; fips-mode-setup --check
[root@rhel9.3 ~]# fips-mode-setup --check; update-crypto-policies --show FIPS mode is enabled. FIPS:OSPP
- update-crypto-policies --show; fips-mode-setup --check
- See failure when requesting dnf repos
- dnf clean all; dnf repolist -v
Expected results
[root@rhel9.3 ~]# dnf clean all; dnf repolist -v Updating Subscription Management repositories. 0 files removed Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, system-upgrade, uploadprofile Updating Subscription Management repositories. DNF version: 4.14.0 cachedir: /var/cache/dnf Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 17 MB/s | 15 MB 00:00 Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) 22 MB/s | 27 MB 00:01 Last metadata expiration check: 0:00:02 ago on Tue 28 Nov 2023 08:30:28 PM EST. Repo-id : rhel-9-for-x86_64-appstream-rpms Repo-name : Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) Repo-revision : 1701100150 Repo-updated : Mon 27 Nov 2023 10:49:10 AM EST Repo-pkgs : 14,508 Repo-available-pkgs: 14,225 Repo-size : 46 G Repo-baseurl : https://cdn.redhat.com/content/dist/rhel9/9/x86_64/appstream/os Repo-expire : 86,400 second(s) (last: Tue 28 Nov 2023 08:30:28 PM EST) Repo-filename : /etc/yum.repos.d/redhat.repo Repo-id : rhel-9-for-x86_64-baseos-rpms Repo-name : Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) Repo-revision : 1700562112 Repo-updated : Tue 21 Nov 2023 05:21:52 AM EST Repo-pkgs : 4,953 Repo-available-pkgs: 4,953 Repo-size : 8.1 G Repo-baseurl : https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os Repo-expire : 86,400 second(s) (last: Tue 28 Nov 2023 08:30:25 PM EST) Repo-filename : /etc/yum.repos.d/redhat.repo Total packages: 19,461
Actual results
[root@rhel9.3 ~]# dnf clean all; dnf repolist -v Updating Subscription Management repositories. 0 files removed Loaded plugins: builddep, changelog, config-manager, copr, debug, debuginfo-install, download, generate_completion_cache, groups-manager, needs-restarting, playground, product-id, repoclosure, repodiff, repograph, repomanage, reposync, subscription-manager, system-upgrade, uploadprofile Updating Subscription Management repositories. DNF version: 4.14.0 cachedir: /var/cache/dnf Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 0.0 B/s | 0 B 00:00 Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms': - Curl error (35): SSL connect error for https://cdn.redhat.com/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:0A000410:SSL routines::sslv3 alert handshake failure] Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried [root@rhel9.3 ~]# [root@rhel9.3 ~]# [root@rhel9.3 ~]# fips-mode-setup --check; update-crypto-policies --show FIPS mode is enabled. FIPS:OSPP
