Add option to specify PKCS12 algorithm in pre-start.erb #358
Labels
Comments
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/182074525 The labels on this github issue will be updated when the story is started. |
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
Closed
Closed
|
See comment in PR. |
3 tasks
toabctl
added a commit
to toabctl/uaa-release
that referenced
this issue
Sep 19, 2022
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: cloudfoundry#358
toabctl
added a commit
to toabctl/uaa-release
that referenced
this issue
Sep 19, 2022
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: cloudfoundry#358
toabctl
added a commit
to toabctl/uaa-release
that referenced
this issue
Sep 20, 2022
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: cloudfoundry#358
toabctl
added a commit
to toabctl/uaa-release
that referenced
this issue
Sep 20, 2022
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: cloudfoundry#358
toabctl
added a commit
to toabctl/uaa-release
that referenced
this issue
Sep 20, 2022
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: cloudfoundry#358
strehle
added a commit
that referenced
this issue
Sep 21, 2022
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: #358 Co-authored-by: Markus Strehle <[email protected]>
Repository owner
moved this from Inbox
to Done
in Foundational Infrastructure Working Group
Sep 21, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On a FIPS enabled stemcell, pre-start.erb fails under a Bionic based stemcell.
The issue is that the current Ubuntu Bionic based stemcell uses an older version of OpenSSL, which it is required to do to run in FIPS mode. FIPS modules are validated against specific versions, and it is not possible to patch to a newer version without loosing validation. There is a known bug in the validated version that when using the openssl pkcs12 command, if the option -certpbe is not used to specify an algorithm, openssl will default to a non-FIPS algorithm.
The pre-start.erb script contains the function insert_ssl_cert which uses openssl pkcs12 to export the SSL cert. Because -certpbe is not specified, it is failing on a FIPS enabled stemcell. However, we have validated that passing a supported algorithm such as PBE-SHA1-3DES, everything works as expected.
I'd like the script to either check for a FIPS enabled kernel and select the correct algorithm, or the ability to specify which algorithm the script should use.
The text was updated successfully, but these errors were encountered: