Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4955

RHEL 7.9 client installation fails in FIPS mode with 9.2 server

Details

    • Bug
    • Resolution: Unresolved
    • Undefined
    • None
    • rhel-9.2.0
    • ipa
    • sst_idm_ipa
    • ssg_idm
    • False
    • Hide

      None

      Show
      None
    • Unspecified
    • Known Issue
    • Hide
      .Installing a RHEL 7 IdM client with a RHEL 9.2+ IdM server in FIPS mode fails due to EMS enforcement

      The TLS `Extended Master Secret` (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in accordance with FIPS-140-3 requirements. However, the `openssl` version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later fails.

      If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy:

      ----
      # update-crypto-policies --set FIPS:NO-ENFORCE-EMS
      ----

      Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client succeeds.
      Show
      .Installing a RHEL 7 IdM client with a RHEL 9.2+ IdM server in FIPS mode fails due to EMS enforcement The TLS `Extended Master Secret` (EMS) extension (RFC 7627) is now mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9.2 and later systems. This is in accordance with FIPS-140-3 requirements. However, the `openssl` version available in RHEL 7.9 and lower does not support EMS. In consequence, installing a RHEL 7 Identity Management (IdM) client with a FIPS-enabled IdM server running on RHEL 9.2 and later fails. If upgrading the host to RHEL 8 before installing an IdM client on it is not an option, work around the problem by removing the requirement for EMS usage on the RHEL 9 server by applying a NO-ENFORCE-EMS subpolicy on top of the FIPS crypto policy: ---- # update-crypto-policies --set FIPS:NO-ENFORCE-EMS ---- Note that this removal goes against the FIPS 140-3 requirements. As a result, you can establish and accept TLS 1.2 connections that do not use EMS, and the installation of a RHEL 7 IdM client succeeds.
    • Done

    Description

      Description of problem:
      Installation of a RHEL 7.9 client fails in FIPS mode with a RHEL 9.2 server.

      Version-Release number of selected component (if applicable):
      Client:

      1. rpm -qa ipa-client openssl
        ipa-client-4.6.8-5.el7_9.14.x86_64
        openssl-1.0.2k-26.el7_9.x86_64

      Server:

      1. rpm -qa ipa-server openssl
        openssl-3.0.7-16.el9_2.x86_64
        ipa-server-4.10.1-7.el9_2.x86_64

      How reproducible:
      Always

      Steps to Reproduce:
      1. Install a RHEL 9.2 server in FIPS mode
      ipa-server-install --domain ipa.test --realm IPA.TEST -a password - password -U
      2. Install a RHEL 7.9 client in FIPS mode
      ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password password -U

      Actual results:
      The client installation fails due to a SSL handshake failure:

      1. ipa-client-install --domain ipa.test --realm IPA.TEST --server server.ipa.test --principal admin --password Secret123 -U
        WARNING: ntpd time&date synchronization service will not be configured as
        conflicting service (chronyd) is enabled
        Use --force-ntpd option to disable it and force configuration of ntpd

      Client hostname: client.ipa.test
      Realm: IPA.TEST
      DNS Domain: ipa.test
      IPA Server: server.ipa.test
      BaseDN: dc=ipa,dc=test

      Skipping synchronizing time with NTP server.
      Successfully retrieved CA cert
      Subject: CN=Certificate Authority,O=IPA.TEST
      Issuer: CN=Certificate Authority,O=IPA.TEST
      Valid From: 2023-07-06 12:52:19
      Valid Until: 2043-07-06 12:52:19

      Enrolled in IPA realm IPA.TEST
      Created /etc/ipa/default.conf
      New SSSD config will be created
      Configured sudoers in /etc/nsswitch.conf
      Configured /etc/sssd/sssd.conf
      trying https://server.ipa.test/ipa/json
      [try 1]: Forwarding 'schema' to json server 'https://server.ipa.test/ipa/json'
      cannot connect to 'https://server.ipa.test/ipa/json': [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
      The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

      Expected results:
      Client installation should succeed.

      Additional info:
      This issue is related to the change done on openssl side with Bug 2188046 - Support requiring EMS in TLS 1.2, default to it when in FIPS mode [rhel-9.2.0.z]

      In FIPS mode, if the server is installed with openssl-3.0.7-16.el9_2, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections.
      RHEL 7.9 clients can communicate only using TLS 1.2 but don't support this extension. RHEL 8.x clients support TLS 1.2 and TLS 1.3 and are not impacted.

      The direct consequence is that RHEL 7.9 clients cannot join a RHEL 9.2+ server in FIPS mode. This limitation should be documented.

      Attachments

        Activity

          People

            frenaud@redhat.com Florence Renaud
            frenaud@redhat.com Florence Renaud
            Florence Renaud Florence Renaud
            IPA QE Bot IPA QE Bot
            Filip Hanzelka Filip Hanzelka
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: