RHEL 9.4 - Default OpenSSL provider active when FIPS is enabled

Posted on

Hello,

I am testing some of the features of my product on RHEL 9.4 with FIPS enabled.

I noticed that the default OpenSSL provider is active on RHEL:

[rhel 9.4]$ fips-mode-setup --check
FIPS mode is enabled.

[rhel 9.4]$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.0.7
    status: active
  default
    name: OpenSSL Default Provider
    version: 3.0.7
    status: active
  fips
    name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
    version: 3.0.7-395c1a240fbfffd8
    status: active

While it is not active in Ubuntu 22 (with FIPS enabled as well):

[ubuntu 22]$ cat /proc/sys/crypto/fips_enabled
1

[ubuntu 22]$ openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.0.2
    status: active
  fips
    name: Ubuntu 22.04 OpenSSL Cryptographic Module
    version: 3.0.5-0ubuntu0.1+Fips2.1
    status: active

I noticed this while trying to use a PKCS#12 package. It fails on Ubuntu, but succeeds on RHEL:

~~~
[ubuntu 22]$ openssl pkcs12 -nodes -in testexportaes.pfx -out testexportaes.pem -password pass:******
Error verifying PKCS12 MAC; no PKCS12KDF support.
Use -nomacver if MAC verification is not required.

[rhel 9.4]$ openssl pkcs12 -nodes -in testexportaes.pfx -out testexportaes.pem -password pass:******
[rhel 9.4]$
~~~~

This issue confirms that PKCS12KDF is not supported on FIPS: https://github.com/openssl/openssl/issues/19997

The same post mentions this can be worked around by using the default provider, but that doing so is not FIPS compliant.

My question is whether the default provider should be active on RHEL, or if there are any additional steps to enable FIPS on RHEL other than what is posted here: https://access.redhat.com/solutions/137833#rhel9

Thank you!

NA

Responses