Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: crypto-policies
Labels:
- FIPS140
- kerberos

Pool Team:

sst_security_crypto
Sub-System Group:

ssg_security

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:

Red Hat Enterprise Linux

Experience:

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Links:

What were you trying to do that didn't work?

After

update-crypto-policies --set FIPS:OSPP

/etc/crypto-policies/back-ends/krb5.config does not have HMAC-SHA1 enctypes like

aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96

Please provide the package NVR for which bug is seen:

crypto-policies-20230731-1.git3177e06.el8

How reproducible:

Always

Steps to reproduce

update-crypto-policies --set FIPS:OSPP
grep -i 'hmac-sha1' /etc/crypto-policies/back-ends/krb5.config

Expected results

permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

Actual results

permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128

is duplicated by

RHEL-22158 realm command fails to join to AD domain post upgrade to RHEL 8.9 with crypto-policy FIPS:OSSP applied

Closed

Assignee:: Alexander Sosedkin

Reporter:: Ding Yi Chen

Developer:: Alexander Sosedkin

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/01/10 12:08 AM

Updated:: 2024/02/06 12:25 PM

Resolved:: 2024/01/30 2:21 PM