-
Bug
-
Resolution: Obsolete
-
Major
-
None
-
6.11.5
Description of problem:
FIPS-enabled RHEL9 clients are unable to communicate with Satellite 6.11
Version-Release number of selected component (if applicable):
Satellite server (RHEL7/6.11.5.4)
Satellite server (RHEL7satellite-6.10)
How reproducible:
Apply RHSA-2023:3722 on RHEL 9
Steps to Reproduce:
1. Enabled fips
2. yum updateinfo --installed RHSA-2023:3722
3. subscription-manager refresh ; yum repolist
Actual results:
- update-crypto-policies --show
FIPS
- cat /proc/sys/crypto/fips_enabled
1
- fips-mode-setup --check
FIPS mode is enabled.
- yum updateinfo --info RHSA-2023:3722
- subscription-manager refresh ; yum repolist
Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) 0.0 B/s | 0 B 00:00
Errors during downloading metadata for repository 'rhel-9-for-x86_64-baseos-rpms':
- Curl error (35): SSL connect error for https://satellite.example.com/pulp/content/Default_Organization/Library/content/dist/rhel9/9/x86_64/baseos/os/repodata/repomd.xml [error:1C8000E9:Provider routines::ems not enabled]
Error: Failed to download metadata for repo 'rhel-9-for-x86_64-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
Expected results:
Do we have any workaround or upgrade underlying OS RHEL 7 to RHEL 8 will be the only option?
Additional info:
- yum list installed |grep -i openssl
openssl.x86_64 1:3.0.7-16.el9_2 @rhel-9-for-x86_64-baseos-rpms
openssl-libs.x86_64 1:3.0.7-16.el9_2 @rhel-9-for-x86_64-baseos-rpms
The Extended Master Secret TLS Extension is now enforced on FIPS-enabled systems
With the release of the RHSA-2023:3722 advisory, the TLS Extended Master Secret (EMS) extension (RFC 7627) is mandatory for TLS 1.2 connections on FIPS-enabled RHEL 9 systems. This is in accordance with FIPS-140-3 requirements. TLS 1.3 is not affected.
- external trackers
