OpenSSL backend is unavailable with OC and FIPS enabled OpenShift cluster

Solution Verified - Updated -

Environment

  • OpenShift
    • 4.14.x with FIPS enabled
    • 4.15.x with FIPS enabled
  • Red Hat Enterprise Server (RHEL) 8 with FIPS enabled
  • Red Hat Enterprise Server (RHEL) 9 with FIPS enabled

Issue

When a cluster is installed with FIPS enabled, the oc command errors when used on a RHEL 8 or 9 system with FIPS enabled. The error is:

FIPS mode is enabled, but the required OpenSSL backend is unavailable

Resolution

This issue has been reported to Red Hat engineering. It is being tracked in Bug OCPBUGS-24234. For more information, please open a new support case. A workaround is to use the oc binary from the cluster.

- oc debug node/<master node> -- cat /host/usr/bin/oc > oc
- chmod +x oc
- ./oc version
- Output: Client Version: <4.1xxxxx>stream

Root Cause

The oc binary provided is checking for an older OpenSSL version, which was part of RHEL 8.

rpm -qf /lib64/libcrypto.so.3
openssl-libs-3.0.7-24.el9.x86_64     <--- RHEL9

rpm -qf /usr/lib64/libcrypto.so.1.1
openssl-libs-1.1.1k-9.el8_6.x86_64   <--- RHEL8

Diagnostic Steps

  • Install an OpenShift cluster with FIPS enabled
  • Enable FIPS on RHEL 8 or 9. This can be done during installation or after installation with: sudo fips-mode-setup --enable
  • Use the oc command to log in or use any oc command against the FIPS cluster from a RHEL 8 or 9 system
  • The result is an error: Error: FIPS mode is enabled, but the required OpenSSL backend is unavailable and none of the oc commands will work.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments