Bug 1220674

Summary: [Build 59.2] Error setting cipher DES-EDE3-CBC in FIPS mode with libopenssl-3-fips-provider
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 Reporter: Timo Jyrinki <tjyrinki>
Component: Security CertificationsAssignee: Certification Bugs <certification-bugs>
Status: NEW --- QA Contact:
Severity: Normal    
Priority: P3 - Medium CC: felice.maccaro, meissner, rtsvetkov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/13641086/modules/openssl_fips_cipher/steps/40
Whiteboard: FIPS
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1220333    

Description Timo Jyrinki 2024-02-29 12:58:37 UTC 
The Build 59.2 now ships libopenssl-3-fips-provider as part of the FIPS pattern.

However, running command openssl enc -des3 -e -pbkdf2 -in hello.txt -out hello.txt.enc -k pass1234 -md sha256 yields error "Error setting cipher DES-EDE3-CBC", while in Build 54.1 which was the last one with functional openSSL 1.1 FIPS pattern installtion it paases.

Failing (59.2): https://openqa.suse.de/tests/13641086#step/openssl_fips_cipher/40
Passing (54.1): https://openqa.suse.de/tests/13493595#step/openssl_fips_cipher/39

List of additional packages installed by the fips pattern

59.2: https://openqa.suse.de/tests/13641086#step/fips_setup/3
(1/5) Installing: libkcapi-tools-0.13.0-150600.15.3.x86_64 [..done]
(2/5) Installing: libopenssl-3-fips-provider-3.1.4-150600.1.11.x86_64 [..done]
(3/5) Installing: openssh-fips-9.3p2-150600.1.1.x86_64 [..done]
(4/5) Installing: dracut-fips-059+suse.506.gd33b6bef-150600.1.32.x86_64 [..done]
(5/5) Installing: patterns-base-fips-20200124-150600.28.1.x86_64 [..done]
openssl version openssl-3.1.4-150600.1.17.noarch

54.1: https://openqa.suse.de/tests/13493595#step/fips_setup/3
(1/5) Installing: libkcapi-tools-0.13.0-1.114.x86_64 [..done]
(2/5) Installing: libopenssl1_1-hmac-1.1.1l-150500.17.22.1.x86_64 [..done]
(3/5) Installing: openssh-fips-8.4p1-150300.3.27.1.x86_64 [..done]
(4/5) Installing: dracut-fips-059+suse.506.gd33b6bef-150600.1.20.x86_64 [..done]
(5/5) Installing: patterns-base-fips-20200124-150600.26.1.x86_64 [..done]
openssl version openssl-1.1.1l-150400.1.5.noarch
Comment 1 Marcus Meissner 2024-02-29 13:07:17 UTC 
Triple DES is no longer in FIPS scope, so I would say this test is allowed to FAIL.
Comment 2 Timo Jyrinki 2024-02-29 13:24:00 UTC 
Created ticket https://progress.opensuse.org/issues/156334 to make tha change to the tests, at least openssl_fips_cipher and dirmngr_setup.