UNCLASSIFIED - NO CUI

Skip to content

TLS handshake errors with openssl and curl using FIPS provider after image version upgrade to 9.5

Summary

Containers based on the UBI9 image cannot curl to https URLs or execute certain openssl commands when enabling the FIPS provider after the UBI 9.5 upgrade, which appears to have updated openssl to version 3.2.2. This impacts the Tomcat 10 OpenJDK17 container as well since the URI9 image is the source image. If the FIPS provider is not enabled, openssl and curl functions as expected. Our team creates builds base images based on the of the latest UBI9 and Tomcat 10 containers every morning, and we noticed this problem start occurring in our builds on 11/13.

Steps to reproduce

Enabling FIPS mode using the steps outlined on the Tomcat readme (https://repo1.dso.mil/dsop/opensource/apache/tomcat10-openjdk17/-/tree/development?ref_type=heads#enabling-tomcat-in-fips-mode), then start the container and run a curl command to an https URL, or run "openssl list -providers".

What is the current bug behavior?

When listing the openssl providers there is a FATAL: Startup failure. When running a curl command a "digital envelope routines::decode error" error occurs.

What is the expected correct behavior?

We expect to see the following output from these commands. The output below is from a UBI9 image with FIPS enabled that we built on 10/28, and is running openssl version 3.0.7

[root@bdb799dfa173 /]# openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.7
    status: active
  fips
    name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
    version: 3.0.7-395c1a240fbfffd8
    status: active
[root@bdb799dfa173 /]# curl -iv https://www.google.com
*   Trying 142.251.116.105:443...
* Connected to www.google.com (142.251.116.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Oct 21 08:38:45 2024 GMT
*  expire date: Jan 13 08:38:44 2025 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.

Relevant logs and/or screenshots

Errors from running openssl list -providers

[root@d2d867b4d9c3 /]# openssl list -providers
FATAL: Startup failure (dev note: apps_startup()) for /usr/bin/openssl
00FE9D574A7A0000:error:0700007E:configuration file routines:provider_conf_params_internal:recursive section reference:crypto/provider_conf.c:102:
00FE9D574A7A0000:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:276:module=providers, value=provider_sect retcode=-1      
FATAL: Startup failure (dev note: apps_startup()) for /usr/bin/openssl
00DE61224E700000:error:0700007E:configuration file routines:provider_conf_params_internal:recursive section reference:crypto/provider_conf.c:102:
00DE61224E700000:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:276:module=providers, value=provider_sect retcode=-1      
FATAL: Startup failure (dev note: apps_startup()) for /usr/bin/openssl
001E2E3364740000:error:0700007E:configuration file routines:provider_conf_params_internal:recursive section reference:crypto/provider_conf.c:102:
001E2E3364740000:error:0700006D:configuration file routines:module_run:module initialization error:crypto/conf/conf_mod.c:276:module=providers, value=provider_sect retcode=-1

When trying to curl:

[root@d2d867b4d9c3 /]# curl -iv https://www.google.com
*   Trying 142.250.114.147:443...
* Connected to www.google.com (142.250.114.147) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.3 (OUT), TLS alert, bad certificate (554):
* error:03000072:digital envelope routines::decode error
* Closing connection 0
curl: (35) error:03000072:digital envelope routines::decode error

Possible fixes

Unclear what the fix is, but possible the fips module has a corrupted install or the steps required to enable have changed.

Tasks

  • Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI