Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36306

Using openssl.cnf with minor modifications breaks openssl in FIPS mode

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-10.0.beta
    • openssl
    • None
    • sst_security_crypto
    • ssg_security
    • False
    • Hide

      None

      Show
      None

      When the system openssl.cnf file is used with slight modifications as the parameter to -config option, the FIPS module initialisation fails:

      cp /etc/pki/tls/openssl.cnf openssl.cnf
sed -i 's/.*unique_subject.*/unique_subject = yes/' openssl.cnf
sed -i 's/^dir.*/dir = \./' openssl.cnf
openssl req -config openssl.cnf -passout pass:securepass -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem             -subj "/C=XX/ST=mystate/L=mytown/O=myorganisation/OU=myou/CN=myname/emailAddress=myemail/"

      results in 

      Error configuring OpenSSL modules
80D204A2497F0000:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:276:module=providers, value=provider_sect retcode=-1

            dbelyavs@redhat.com Dmitry Belyavskiy
            hkario@redhat.com Hubert Kario
            Dmitry Belyavskiy Dmitry Belyavskiy
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: