RHEL 9.4 - Default OpenSSL provider active when FIPS is enabled
Hello,
I am testing some of the features of my product on RHEL 9.4 with FIPS enabled.
I noticed that the default OpenSSL provider is active on RHEL:
[rhel 9.4]$ fips-mode-setup --check FIPS mode is enabled. [rhel 9.4]$ openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.0.7 status: active default name: OpenSSL Default Provider version: 3.0.7 status: active fips name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider version: 3.0.7-395c1a240fbfffd8 status: active
While it is not active in Ubuntu 22 (with FIPS enabled as well):
[ubuntu 22]$ cat /proc/sys/crypto/fips_enabled 1 [ubuntu 22]$ openssl list -providers Providers: base name: OpenSSL Base Provider version: 3.0.2 status: active fips name: Ubuntu 22.04 OpenSSL Cryptographic Module version: 3.0.5-0ubuntu0.1+Fips2.1 status: active
I noticed this while trying to use a PKCS#12 package. It fails on Ubuntu, but succeeds on RHEL:
~~~
[ubuntu 22]$ openssl pkcs12 -nodes -in testexportaes.pfx -out testexportaes.pem -password pass:******
Error verifying PKCS12 MAC; no PKCS12KDF support.
Use -nomacver if MAC verification is not required.
[rhel 9.4]$ openssl pkcs12 -nodes -in testexportaes.pfx -out testexportaes.pem -password pass:******
[rhel 9.4]$
~~~~
This issue confirms that PKCS12KDF is not supported on FIPS: https://github.com/openssl/openssl/issues/19997
The same post mentions this can be worked around by using the default provider, but that doing so is not FIPS compliant.
My question is whether the default provider should be active on RHEL, or if there are any additional steps to enable FIPS on RHEL other than what is posted here: https://access.redhat.com/solutions/137833#rhel9
Thank you!
Responses