Details
-
Bug
-
Resolution: Done-Errata
-
Minor
-
rhel-9.3.0
-
openssl-3.0.7-26.el9
-
sst_security_crypto
-
ssg_security
-
26
-
0.5
-
False
-
-
No
-
Red Hat Enterprise Linux
-
Crypto24Q1
-
-
Pass
-
Enabled
-
Yes
-
Release Note Not Required
-
All
Description
What were you trying to do that didn't work?
When setting up the PKCS#11 engine in /etc/pki/tls/openssl.cnf GIT and CURL are displaying SSL errors for the target server supporting only a NIST curve based Key Exchange algorithm (e.g. ECDHE-RSA-AES256-GCM-SHA384)
Please provide the package NVR for which bug is seen:
openssl-3.0.7-24.el9.x86_64
openssl-pkcs11-0.4.11-7.el9.x86_64
Steps to reproduce
1. add pkcs11 engine in /etc/pki/tls/openssl.cnf:
-------------------------------------------------------------
[openssl_init]
providers = provider_sect
ssl_conf = ssl_module
engines = engine_sect
[engine_sect]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib64/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib64/softhsm/libsofthsm.so
init = 0
-------------------------------------------------------------
2. test the connection to a remote server supporting only a NIST curve based Key Exchange algorithms:
GIT (git pull) : fatal: unable to access 'https://xxxxxxxxxxxxxxxx/': error:0A080006:SSL routines::EVP lib
- curl -v --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://xxxxxxxxxxxxxxxx/
Expected results:
connection ok
Actual results:
GIT (git pull) : fatal: unable to access 'https://xxxxxxxxxxxxxxxx/': error:0A080006:SSL routines::EVP lib
CURL (partial output) :
- curl -v --ciphers ECDHE-RSA-AES256-GCM-SHA384 https://xxxxxxxxxxxxxxxx/
[...]
- TLSv1.0 (OUT), TLS header, Certificate Status (22):
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- CONNECT phase completed!
- CONNECT phase completed!
- TLSv1.2 (IN), TLS header, Certificate Status (22):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS header, Certificate Status (22):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS header, Certificate Status (22):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (OUT), TLS header, Unknown (21):
- TLSv1.2 (OUT), TLS alert, internal error (592):
- error:0A080006:SSL routines::EVP lib
- Closing connection 0
curl: (35) error:0A080006:SSL routines::EVP lib
openssl s_client example output:
- openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -connect xxxxxxxxxxxxxxxx:443
[...]
verify return:1
80CB2921637F0000:error:0A080006:SSL routines:ssl_generate_param_group:EVP lib:ssl/s3_lib.c:4748:
80CB2921637F0000:error:0A00013A:SSL routines:tls_process_ske_ecdhe:unable to find ecdh parameters:ssl/statem/statem_clnt.c:2146:
[...]
Additional information:
The concerning behaviour was discussed in the upstream (https://github.com/openssl/openssl/issues/20161) and then fixed with https://github.com/openssl/openssl/pull/20780
Would it be possible to consider backporting of the upstream fix to RHEL9's openssl 3.0.7?
Attachments
Issue Links
- links to
-
RHSA-2023:124119
openssl bug fix and enhancement update
- mentioned on
