clients rsa-pss keys are refused in FIPS mode
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
People
(Reporter: rrelyea, Unassigned)
Details
(Whiteboard: [nss-nofx])
Attachments
(1 file)
13.49 KB,
application/gzip
|
Details |
Description of problem:
When server has only RSA-PSS key, and client uses RSA-PSS keys connection aborts with handshake_failure alert. This happens only in FIPS mode.
Version-Release number of selected component (if applicable):
nss-3.44.0-7.el8_0
How reproducible:
always
Steps to Reproduce:
- Setup FIPS mode.
- Setup server with attachment server/key.pem and server/cert.pem
- Create nssdb with ca/cert.pem certificate marked as trusted
- tstclnt -d sql:./nssdb/ -h 127.0.0.1 -p 4433
Actual results:
server aborts connection
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Use keys imported from PKCS#12 file
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 19:33:52 ] :: [ BEGIN ] :: Running '/usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -rr -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 >server.out 2>server.err &'
:: [ 19:33:52 ] :: [ PASS ] :: Command '/usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -rr -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 >server.out 2>server.err &' (Expected 0, got 0)
:: [ 19:33:52 ] :: [ BEGIN ] :: Running 'rlWaitForSocket 4433 -p 45980'
:: [ 19:33:52 ] :: [ INFO ] :: rlWaitForSocket: Waiting max 120s for socket `4433' to start listening
:: [ 19:33:53 ] :: [ INFO ] :: rlWaitForSocket: Wait successful!
:: [ 19:33:53 ] :: [ PASS ] :: Command 'rlWaitForSocket 4433 -p 45980' (Expected 0, got 0)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running './nss-client.expect /usr/lib64/nss/unsupported-tools/tstclnt -d sql:./pss-clnt-db -h localhost -p 4433 -n client-rsa-pss -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512'
spawn /bin/sh -c /usr/lib64/nss/unsupported-tools/tstclnt -d sql:./pss-clnt-db -h localhost -p 4433 -n client-rsa-pss -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512
tstclnt: read from socket failed: SSL_ERROR_BAD_CERT_ALERT: SSL peer cannot verify your certificate.
:: [ 19:33:53 ] :: [ FAIL ] :: Command './nss-client.expect /usr/lib64/nss/unsupported-tools/tstclnt -d sql:./pss-clnt-db -h localhost -p 4433 -n client-rsa-pss -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512' (Expected 0, got 1)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'kill 45980'
/usr/share/beakerlib/testing.sh: line 756: 45980 Terminated /usr/lib64/nss/unsupported-tools/selfserv -d sql:./pss-srv-db -p 4433 -n server-rsa-pss -rr -J rsa_pss_pss_sha256,rsa_pss_pss_sha384,rsa_pss_pss_sha512 > server.out 2> server.err
:: [ 19:33:53 ] :: [ PASS ] :: Command 'kill 45980' (Expected 0, got 0)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'rlWait 45980'
:: [ 19:33:53 ] :: [ PASS ] :: Command 'rlWait 45980' (Expected 143, got 143)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'cat server.out'
:: [ 19:33:53 ] :: [ PASS ] :: Command 'cat server.out' (Expected 0, got 0)
:: [ 19:33:53 ] :: [ BEGIN ] :: Running 'cat server.err'
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
:: [ 19:33:53 ] :: [ PASS ] :: Command 'cat server.err' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 1s
:: Assertions: 6 good, 1 bad
:: RESULT: FAIL (Use keys imported from PKCS#12 file)
Expected results:
Connection established
Additional info:
When FIPS is disabled, it works.
Updated•4 years ago
|
Updated•4 years ago
|
Reporter | ||
Comment 1•3 years ago
|
||
Works in the current release.
Description
•