Fix openssl pkcs12 export in pre-start.erb when in FIPS mode #407
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/183313300 The labels on this github issue will be updated when the story is started. |
333b0e6 to
2934630
Compare
|
@here I can't open the concourse-ci status. it's loading forever for me. |
Error from CI is Action Failed get_task: Task 4d100a7f-da3b-4fb2-77c4-c17692fefaf7 result: 1 of 4 pre-start scripts failed. Failed Jobs: uaa. I retriggered the jobs, but fail constantly, so I dont see why but related to you change |
3e37730 to
441ff0f
Compare
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms. Fixes: cloudfoundry#358
441ff0f to
e821c0b
Compare
There was a problem hiding this comment.
From my side ok because this option is only active in FIPS mode
If assumption is true, that for FIPS systems there is always a file /proc/sys/crypto/fips_enabled with content 1, I cannot say if this is always the case for such systems, I only know, others do NOT have this file and therefore, default behaviour stays
@torsten-sap does this fix also you case within SAP ?
@bruce-ricard do you have other concerns ?
|
discussion with @bruce-ricard , added log with #408 |
| if [ -f "/proc/sys/crypto/fips_enabled" ]; then | ||
| local FIPS_ENABLED="$(cat /proc/sys/crypto/fips_enabled)" | ||
| if [ "${FIPS_ENABLED}" = 1 ]; then | ||
| FIPS_OPTS="-certpbe PBE-SHA1-3DES" |
There was a problem hiding this comment.
As discussed during our meeting, please add a log here saying something like
The fips parameters were activated
or similar.
On a Ubuntu Bionic FIPS enabled stemcell, pre-start.erb fails. In FIPS Mode, the PKCS#12 format must use compatible encryption and hashing algorithms.
Fixes: #358