Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
  • RHEL 9.4 - Default OpenSSL provider active when FIPS is enabled

    Posted on

    Hello,

    I am testing some of the features of my product on RHEL 9.4 with FIPS enabled.

    I noticed that the default OpenSSL provider is active on RHEL:

    [rhel 9.4]$ fips-mode-setup --check
    FIPS mode is enabled.
    
    [rhel 9.4]$ openssl list -providers
    Providers:
      base
        name: OpenSSL Base Provider
        version: 3.0.7
        status: active
      default
        name: OpenSSL Default Provider
        version: 3.0.7
        status: active
      fips
        name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
        version: 3.0.7-395c1a240fbfffd8
        status: active
    

    While it is not active in Ubuntu 22 (with FIPS enabled as well):

    [ubuntu 22]$ cat /proc/sys/crypto/fips_enabled
    1
    
    [ubuntu 22]$ openssl list -providers
    Providers:
      base
        name: OpenSSL Base Provider
        version: 3.0.2
        status: active
      fips
        name: Ubuntu 22.04 OpenSSL Cryptographic Module
        version: 3.0.5-0ubuntu0.1+Fips2.1
        status: active
    

    I noticed this while trying to use a PKCS#12 package. It fails on Ubuntu, but succeeds on RHEL:

    ~~~
    [ubuntu 22]$ openssl pkcs12 -nodes -in testexportaes.pfx -out testexportaes.pem -password pass:******
    Error verifying PKCS12 MAC; no PKCS12KDF support.
    Use -nomacver if MAC verification is not required.

    [rhel 9.4]$ openssl pkcs12 -nodes -in testexportaes.pfx -out testexportaes.pem -password pass:******
    [rhel 9.4]$
    ~~~~

    This issue confirms that PKCS12KDF is not supported on FIPS: https://github.com/openssl/openssl/issues/19997

    The same post mentions this can be worked around by using the default provider, but that doing so is not FIPS compliant.

    My question is whether the default provider should be active on RHEL, or if there are any additional steps to enable FIPS on RHEL other than what is posted here: https://access.redhat.com/solutions/137833#rhel9

    Thank you!

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat