Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-52293

Provide details on crypto error instead of "error in libcrypto"

XMLWordPrintable

    • openssh-8.7p1-44.el9
    • None
    • Low
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 11
    • 1
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • Crypto24Q4
    • Hide

      AC: "error in libcrypto" is returned with extended openssl error output

      Show
      AC: "error in libcrypto" is returned with extended openssl error output
    • Pass
    • Not Needed
    • Automated
    • Release Note Not Required
    • None

      Goal

      • As an admin, I want to be able to troubleshoot libcrypto issues when connections through ssh do not make it. For now I'm getting "error: userauth_pubkey: parse key: error in libcrypto" message which doesn't help finding the root cause at all.
        I need the exact message from libcrypto library to be returned.

      Acceptance Criteria

      • "error in libcrypto" is not returned in case of algo error, but a detailed useful message

      Additional details

      Currently the openssh code has this:

       70         case SSH_ERR_LIBCRYPTO_ERROR:
 71                 return "error in libcrypto";  /* XXX fetch and return */

      The "XXX" seems self-explanatory that this error is still work in progress.

        1. sshd_debug3.out
          16 kB

            [RHEL-52293] Provide details on crypto error instead of "error in libcrypto"

            Dmitry Belyavskiy added a comment -

            I have implemented the function to dump OpenSSL error stack to log. It still can be not detailed enough and the function should be called explicitly but at least it should provide some more details.

            Dmitry Belyavskiy added a comment - I have implemented the function to dump OpenSSL error stack to log. It still can be not detailed enough and the function should be called explicitly but at least it should provide some more details.

            Renaud Métrich added a comment -

            dbelyavs@redhat.com I have a use case: connect from RHEL9 system to RHEL6 system (ssh-rsa only).
            With a custom module to only enable SHA1 for ssh, I get this:

            # cat /etc/crypto-policies/policies/modules/SHA1-SSHONLY.pmod 
# This subpolicy adds SHA1 hash and signature support for SSH only
hash@ssh = SHA1+
sign@ssh = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+
sha1_in_certs@ssh = 1

# update-crypto-policies --set DEFAULT:SHA1-SSHONLY

# ssh vm-rhel6
ssh_dispatch_run_fatal: Connection to 192.168.122.233 port 22: error in libcrypto

            This is because SHA1 must be somehow enabled in OpenSSL as well.

            Renaud Métrich added a comment - dbelyavs@redhat.com I have a use case: connect from RHEL9 system to RHEL6 system (ssh-rsa only). With a custom module to only enable SHA1 for ssh , I get this: # cat /etc/crypto-policies/policies/modules/SHA1-SSHONLY.pmod # This subpolicy adds SHA1 hash and signature support for SSH only hash@ssh = SHA1+ sign@ssh = ECDSA-SHA1+ RSA-PSS-SHA1+ RSA-SHA1+ sha1_in_certs@ssh = 1 # update-crypto-policies --set DEFAULT:SHA1-SSHONLY # ssh vm-rhel6 ssh_dispatch_run_fatal: Connection to 192.168.122.233 port 22: error in libcrypto This is because SHA1 must be somehow enabled in OpenSSL as well.

            Renaud Métrich added a comment -

            rhn-support-saime was able to reproduce using a certificate.

            Renaud Métrich added a comment - rhn-support-saime was able to reproduce using a certificate.

            Dmitry Belyavskiy added a comment -

            rhn-support-rmetrich do you have any guidelines how to reproduce some use cases?

            Dmitry Belyavskiy added a comment - rhn-support-rmetrich do you have any guidelines how to reproduce some use cases?

            Dmitry Belyavskiy added a comment -

            I'm going to spend some time investigating it in Q4

            Dmitry Belyavskiy added a comment - I'm going to spend some time investigating it in Q4

            Dmitry Belyavskiy added a comment -

            Yes, it's the most possible reason. Unfortunately getting the exact error to the log isn't trivial. I can try doing it on case-by-case basis.

            Dmitry Belyavskiy added a comment - Yes, it's the most possible reason. Unfortunately getting the exact error to the log isn't trivial. I can try doing it on case-by-case basis.

              dbelyavs@redhat.com Dmitry Belyavskiy
              rhn-support-rmetrich Renaud Métrich
              Dmitry Belyavskiy Dmitry Belyavskiy
              Miluse Bezo Konecna Miluse Bezo Konecna
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: