Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(PA-3974) Remove DHE ciphers from openssl 1.1.1 FIPS #487

Merged
merged 2 commits into from
Sep 1, 2021

Conversation

GabrielNagy
Copy link
Contributor

After bumping openssl-fips to 1.1.1k, all DHE ciphers stopped working, giving the following error:

error:141A3066:SSL routines:tls_process_ske_dhe:bad dh value:ssl/statem/statem_clnt.c:2136:

This caused the handshake between pxp-agent and pcp-broker to fail, because a DHE cipher was negotiated and the client couldn't handle it.

As a temporary fix, patch out all the DHE ciphers from openssl 1.1.1 FIPS.

After bumping openssl-fips to 1.1.1k, all DHE ciphers stopped working,
giving the following error:

error:141A3066:SSL routines:tls_process_ske_dhe:bad dh value:ssl/statem/statem_clnt.c:2136:

This caused the handshake between pxp-agent and pcp-broker to fail,
because a DHE cipher was negotiated and the client couldn't handle it.

As a temporary fix, patch out all the DHE ciphers from openssl 1.1.1
FIPS.
@GabrielNagy GabrielNagy requested a review from a team September 1, 2021 13:30
@GabrielNagy GabrielNagy requested a review from a team as a code owner September 1, 2021 13:30
@CLAassistant
Copy link

CLAassistant commented Sep 1, 2021

CLA assistant check
All committers have signed the CLA.

@puppetlabs puppetlabs deleted a comment from github-actions bot Sep 1, 2021
@github-actions
Copy link

github-actions bot commented Sep 1, 2021

⚠️ DISCLAIMER

This task is still experimental, it can be invoked locally provided that development dependencies are installed (bundle install --with development).

Ensure all your local changes are committed, then run bundle exec rake vanagon:component_diff -- [options].

Run the task with --help to see all available options. If you notice unexpected behavior or want to suggest improvements, ping #prod-puppet-agent on Slack.

Here is what your code changes would affect:

Project agent-runtime-main

Platform name: redhatfips-7-x86_64

Component 'openssl-1.1.1-fips'

        Field: configure[0][9]

+ cd openssl-1.1.1k-4 && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-remove-non-fips-ciphers.patch && cd -

        Field: sources[8]

+ {"url"=>"file://resources/patches/openssl/openssl-1.1.1l-remove-non-fips-ciphers.patch"}

@ciprianbadescu ciprianbadescu requested a review from a team September 1, 2021 14:06
@luchihoratiu luchihoratiu merged commit b224ca1 into puppetlabs:master Sep 1, 2021
@GabrielNagy
Copy link
Contributor Author

It looks like this is the same behavior as RedHat 8 FIPS, with the system openssl (1 means failure to connect):

[root@intimal-tub ~]# for cipher in $(openssl ciphers -s | tr ':' '\n' | sort); do echo Q | openssl s_client -cipher $cipher -connect builds.delivery.puppetlabs.net:443 &>/dev/null; ec=$?; echo $cipher : $ec; done
DHE-RSA-AES128-CCM : 1
DHE-RSA-AES128-GCM-SHA256 : 1
DHE-RSA-AES128-SHA : 1
DHE-RSA-AES128-SHA256 : 1
DHE-RSA-AES256-CCM : 1
DHE-RSA-AES256-GCM-SHA384 : 1
DHE-RSA-AES256-SHA : 1
DHE-RSA-AES256-SHA256 : 1
ECDHE-ECDSA-AES128-CCM : 1
ECDHE-ECDSA-AES128-GCM-SHA256 : 1
ECDHE-ECDSA-AES128-SHA : 1
ECDHE-ECDSA-AES128-SHA256 : 1
ECDHE-ECDSA-AES256-CCM : 1
ECDHE-ECDSA-AES256-GCM-SHA384 : 1
ECDHE-ECDSA-AES256-SHA : 1
ECDHE-RSA-AES128-GCM-SHA256 : 0
ECDHE-RSA-AES128-SHA : 0
ECDHE-RSA-AES128-SHA256 : 0
ECDHE-RSA-AES256-GCM-SHA384 : 0
ECDHE-RSA-AES256-SHA : 0
TLS_AES_128_CCM_SHA256 : 1
TLS_AES_128_GCM_SHA256 : 1
TLS_AES_256_GCM_SHA384 : 1
[root@intimal-tub ~]# which openssl
/usr/bin/openssl
[root@intimal-tub ~]# uname -a
Linux intimal-tub 4.18.0-80.el8.x86_64 #1 SMP Wed Mar 13 12:02:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[root@intimal-tub ~]# openssl version
OpenSSL 1.1.1g FIPS  21 Apr 2020

All DHE ciphers are failing with the same bad dh value error.

@GabrielNagy
Copy link
Contributor Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants