Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19826

mod_ssl doesn't work with ibmca engine in FIPS

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • rhel-8.10.z
    • libica
    • None
    • None
    • None
    • rhel-arch-hw
    • ssg_platform_enablement
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      I have configured s390x system to use openssl ibmca engine.

      When I was running openssl s_server vs s_client the connection went fine.

      However while running httpd+mod_ssl the curl/s_client were not able to connect to it.

      This was happening when

        SSLCryptoDevice ibmca

      was configured. After commenting out this setting everything was working again.

      In ssl_error log I can see:

      [ssl:info] [pid 80901:tid 4396276304144] [client ::1:56048] AH02008: SSL library error 1 in handshake (server foo:443)
      [ssl:info] [pid 80901:tid 4396276304144] SSL Library Error: error:14068044:SSL routines:do_ssl3_write:internal error
      [ssl:info] [pid 80901:tid 4396276304144] [client ::1:56048] AH01998: Connection closed to child 0 with abortive shutdown (server foo:443)

      In the s_client console I can see:


      No client certificate CA names sent
      Peer signing digest: SHA256
      Peer signature type: RSA-PSS
      Server Temp Key: ECDH, P-256, 256 bits

      SSL handshake has read 1215 bytes and written 284 bytes
      Verification: OK

      New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
          Protocol  : TLSv1.2
          Cipher    : ECDHE-RSA-AES256-GCM-SHA384
          Session-ID: 
          Session-ID-ctx: 
          Master-Key: 6BF403CF77E6126E3CBA9753DD2062D8ECC4F3065DA72CA01E6D8A7B84C3D99384098B4DD119692AD1CB208E5995D67D
          PSK identity: None
          PSK identity hint: None
          SRP username: None
          Start Time: 1703068952
          Timeout   : 7200 (sec)
          Verify return code: 0 (ok)
          Extended master secret: yes

      read from 0x2aa4e5a7e10 [0x2aa4e5a0880] (8192 bytes => 0 (0x0))

      I was testing in permissive mode so SELinux is not an issue here.

      Please provide the package NVR for which bug is seen:

      libica-4.2.3-1.el8.s390x
      openssl-1.1.1k-12.el8_9.s390x
      httpd-2.4.37-62.module+el8.9.0+19699+7a7a2044.s390x
      mod_ssl-2.4.37-62.module+el8.9.0+19699+7a7a2044.s390x

      How reproducible: always. It has worked in RHEL-8.8 and it is broken since 8.9. It is possible that this is also due to libica changes, but maybe mod_ssl needs to be adjusted to talk to ibmca correctly.

      Steps to reproduce

      1. configure mod_ssl to use ibmca engine

      Expected results

      connection works

      Actual results

      connection doesn't work

              rhn-support-dhorak Daniel Horak
              ksrot@redhat.com Karel Srot
              Daniel Horak Daniel Horak
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: