Bugzilla – Bug 1220674
[Build 59.2] Error setting cipher DES-EDE3-CBC in FIPS mode with libopenssl-3-fips-provider
Last modified: 2024-07-01 12:22:16 UTC
The Build 59.2 now ships libopenssl-3-fips-provider as part of the FIPS pattern. However, running command openssl enc -des3 -e -pbkdf2 -in hello.txt -out hello.txt.enc -k pass1234 -md sha256 yields error "Error setting cipher DES-EDE3-CBC", while in Build 54.1 which was the last one with functional openSSL 1.1 FIPS pattern installtion it paases. Failing (59.2): https://openqa.suse.de/tests/13641086#step/openssl_fips_cipher/40 Passing (54.1): https://openqa.suse.de/tests/13493595#step/openssl_fips_cipher/39 List of additional packages installed by the fips pattern 59.2: https://openqa.suse.de/tests/13641086#step/fips_setup/3 (1/5) Installing: libkcapi-tools-0.13.0-150600.15.3.x86_64 [..done] (2/5) Installing: libopenssl-3-fips-provider-3.1.4-150600.1.11.x86_64 [..done] (3/5) Installing: openssh-fips-9.3p2-150600.1.1.x86_64 [..done] (4/5) Installing: dracut-fips-059+suse.506.gd33b6bef-150600.1.32.x86_64 [..done] (5/5) Installing: patterns-base-fips-20200124-150600.28.1.x86_64 [..done] openssl version openssl-3.1.4-150600.1.17.noarch 54.1: https://openqa.suse.de/tests/13493595#step/fips_setup/3 (1/5) Installing: libkcapi-tools-0.13.0-1.114.x86_64 [..done] (2/5) Installing: libopenssl1_1-hmac-1.1.1l-150500.17.22.1.x86_64 [..done] (3/5) Installing: openssh-fips-8.4p1-150300.3.27.1.x86_64 [..done] (4/5) Installing: dracut-fips-059+suse.506.gd33b6bef-150600.1.20.x86_64 [..done] (5/5) Installing: patterns-base-fips-20200124-150600.26.1.x86_64 [..done] openssl version openssl-1.1.1l-150400.1.5.noarch
Triple DES is no longer in FIPS scope, so I would say this test is allowed to FAIL.
Created ticket https://progress.opensuse.org/issues/156334 to make tha change to the tests, at least openssl_fips_cipher and dirmngr_setup.