Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.0.0, rhel-9.1.0, rhel-9.2.0, rhel-9.3.0, rhel-9.4
Component/s: ruby
Labels:

Fixed in Build:
ruby-3.1.2-142.module_el9+787+b20bfeee (CentOS Stream), ruby-3.1.2-142.module+el9.4.0+21038+70f870c9 (RHEL)
Regression:
None
Severity:
Important
Keywords:

ZStream

Pool Team:

rhel-sst-pt-python-ruby-nodejs
Sub-System Group:

ssg_core_services

Dev Target Milestone:
4
Internal Target Milestone:
15
Story Points:
3
ACKs Check:

Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None
Release Blocker:
Approved Blocker
Target Backport Versions:

rhel-9.4.z

Preliminary Testing:
Pass
Test Coverage:
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2170105

PX Impact Score:
PX Technical Impact:
PX Impact Range:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:

With a FIPS enabled RHEL 9 system, a Ruby script that reads in a private key fails to do so. The same key can be read without FIPS enabled.

Version-Release number of selected component (if applicable):
Any Ruby version on RHEL 9.

How reproducible:
Always

Steps to Reproduce:
1. Acquire a RHEL 9 host with FIPS enabled
2. Register the machine

3. dnf module enable ruby
4. dnf install ruby
5. ruby -e "require 'openssl';OpenSSL::PKey.read(File.read('/etc/pki/consumer/key.pem'))"

Actual results:

-e:1:in `read': Could not parse PKey (OpenSSL::PKey::PKeyError)
from -e:1:in `<main>'

Expected results:

No errors

Additional info:

This issue was discovered when attempting to run Red Hat Satellite's foreman_scap_client script. The related BZ – https://bugzilla.redhat.com/show_bug.cgi?id=2168931

blocks

LOG-3933 Fluentd pods are in CrashLoopBackOff status when the cluster has FIPS enabled.

Closed

SAT-19389 RHEL9 clients with FIPS mode, failed to upload compliance report to Satellite and fails with exception(Unable to load certs)

Closed

SAT-25748 RHEL9 clients with FIPS mode, failed to upload compliance report to Satellite and fails with exception(Unable to load certs)

Closed

is blocked by

RHEL-5586 ruby:3.1/ruby: Rebase to the latest Ruby 3.1 release [rhel-9]

Closed

is related to

RHEL-12724 ruby: Ruby cannot read private key in FIPS mode on RHEL 9 [rhel-9]

Closed

relates to

RHEL-12724 ruby: Ruby cannot read private key in FIPS mode on RHEL 9 [rhel-9]

Closed

external trackers

Github openssl/openssl/issues/20657

PnT-DevOps Jira RHELPLAN-148913

Red Hat Issue Tracker CRYPTO-10359

Red Hat Issue Tracker RHELPLAN-148913

links to

RHBA-2023:124477 Major: ruby:3.1 bug fix update

mentioned on

Commit - Bypass git submodule test failure on Git >= 2.38.1.

Commit - Disable Fiddle test cases making use of FFI closure.

Commit - Fix for tzdata-2022g.

Commit - Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.

Commit - Fix tests with Europe/Amsterdam pre-1970 time on tzdata version 2022b.

Commit - ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter

Merge request - Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.

(1 relates to, 4 external trackers, 1 links to, 7 mentioned on)

Assignee:: Jarek Prokop

Reporter:: Eric Helms

QA Contact:: Lukas Zachar

Votes:: 0 Vote for this issue

Watchers:: 16 Start watching this issue

Created:: 2023/09/20 5:42 PM

Updated:: 2024/09/23 9:00 PM

Resolved:: 2024/06/12 9:31 AM

Target start:: 2023/10/10

Dev Target end:: 2024/03/25

Target end:: 2024/06/10