Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix pre-start.erb for Jammy FIPS stemcell #723

Merged
merged 2 commits into from
Dec 8, 2023
Merged

Fix pre-start.erb for Jammy FIPS stemcell #723

merged 2 commits into from
Dec 8, 2023

Conversation

jochenehret
Copy link
Contributor

Fix for #722

@jochenehret
Fix pre-start.erb for Jammy FIPS stemcell
8e7356a 
* algorithm "PBE-SHA1-3DES" is not available on FIPS Jammy (OpenSSL 3.0.2 / Ubuntu 22.04.3 LTS)
* so use the "-nomac" option instead as recommended on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/186620939

The labels on this github issue will be updated when the story is started.

@strehle strehle requested review from a team December 5, 2023 15:43
@strehle strehle linked an issue Dec 5, 2023 that may be closed by this pull request
pre-start script of uaa-release fails on FIPS stemcell #722
Closed
strehle
strehle approved these changes Dec 5, 2023
View reviewed changes
Copy link
Member

@strehle strehle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM since with nomac we hopefully have now a final solution

@strehle strehle requested a review from a team December 5, 2023 16:23
@strehle strehle added the bosh label Dec 5, 2023
@Tallicia
Copy link
Contributor

Tallicia commented Dec 5, 2023

Does this need to use the old value for old bionic stemcells and only the new value on jammy? If so, checking that to determine the value would improve customer switchover.

@strehle
Copy link
Member

strehle commented Dec 5, 2023

bionic stemcells

no longer in support, see https://bosh.cloudfoundry.org/stemcells/#ubuntu-bionic,

@strehle
Copy link
Member

strehle commented Dec 5, 2023

hopefully have now a final solution

nomac was not available with bionic (and the openssl on this vm) , therefore we had to select a valid algorithm , running on the machine, now with this option it hopefully helps with the next major upgrade , e.g. openssl/openssl#20617

@jochenehret jochenehret mentioned this pull request Dec 6, 2023
Closed
3 tasks
@Tallicia Tallicia self-assigned this Dec 7, 2023
Tallicia
Tallicia approved these changes Dec 7, 2023
View reviewed changes
Copy link
Contributor

@Tallicia Tallicia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@strehle strehle merged commit 5a57378 into cloudfoundry:develop Dec 8, 2023
@strehle strehle deleted the fix-pre-start-fips-jammy branch December 8, 2023 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tallicia Tallicia Tallicia approved these changes

@strehle strehle strehle approved these changes

@dimivel dimivel dimivel approved these changes

Assignees

@Tallicia Tallicia

Labels
accepted bosh
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pre-start script of uaa-release fails on FIPS stemcell
5 participants
@jochenehret @cf-gitbot @Tallicia @strehle @dimivel