Project

General

Profile

action #89122

[sle][security][backlog] fips: add some more openssl tests, dhparam and also s_server/s_client

Added by msmeissn almost 2 years ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
New test
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
40.00 h
Difficulty:
Tags:

Description

We have some non working stuff in FIPS mode with openssl.

https://bugzilla.suse.com/show_bug.cgi?id=1182764

OPENSSL_FORCE_FIPS_MODE=1 openssl dhparam -out dhparams_2048.pem 2048
errors with:
..
140657399079360:error:050C90CA:Diffie-Hellman routines:DH_generate_parameters_ex:non FIPS method:crypto/dh/dh_gen.c:31:

can you add a "openssl dhparam 2048" test to the existing fips suite?

Also testing s_client and s_server in FIPS mode with DHE and potentially others.

openssl s_server -key generatedkey -cert generatedcert -dhparam dhparams_2048.pem -cipher DHE

and then connect to localhost:4433 e.g. with

openssl s_client -connect localhost:4443

History

#1 Updated by tjyrinki_suse almost 2 years ago

  • Subject changed from fips: add some more openssl tests, dhparam and also s_server/s_client to [sle][security] fips: add some more openssl tests, dhparam and also s_server/s_client
  • Start date deleted (2021-02-25)

#2 Updated by llzhao almost 2 years ago

  • Subject changed from [sle][security] fips: add some more openssl tests, dhparam and also s_server/s_client to [sle][security][sle15sp4] fips: add some more openssl tests, dhparam and also s_server/s_client
  • Category set to New test
  • Assignee set to bchou
  • Estimated time set to 40.00 h

#3 Updated by bchou 9 months ago

  • Assignee changed from bchou to rcai

After discussing with Roy, I think we can write some tests on single machine tests in advance. Thank you.

And there are some useful updates from the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1182764

#4 Updated by llzhao 9 months ago

  • Subject changed from [sle][security][sle15sp4] fips: add some more openssl tests, dhparam and also s_server/s_client to [sle][security][backlog] fips: add some more openssl tests, dhparam and also s_server/s_client

#6 Updated by rcai 9 months ago

Pending bug fix and automates it in existing test suite.

#7 Updated by rcai 8 months ago

  • Status changed from New to Blocked

https://bugzilla.suse.com/show_bug.cgi?id=1198913
https://bugzilla.suse.com/show_bug.cgi?id=1180995
Due to bugs, cannot make manual test succeed.
It blocked automation.

#8 Updated by rcai 7 months ago

  • Assignee changed from rcai to bchou

#9 Updated by tjyrinki_suse 5 months ago

1198913 is fixed, https://bugzilla.suse.com/show_bug.cgi?id=1180995 is still open but there is also very recent progress and a possible fix.

#10 Updated by bchou 4 months ago

  • Assignee deleted (bchou)

Let's wait for the bug fixes and do the manual test again.

#11 Updated by pstivanin 2 months ago

  • Status changed from Blocked to In Progress
  • Assignee set to pstivanin

#12 Updated by pstivanin 2 months ago

The test will be added to:

  • 15-SP5 (all supported archs)
  • 15-SP4 (all supported archs)
  • 15-SP2 (all supported archs)

#13 Updated by pstivanin 2 months ago

  • % Done changed from 0 to 70

Status update:

  • 15-SP5:
    • x86_64: PASSED
    • s390x: PASSED
    • aarch64: PASSED
  • 15-SP4:
    • x86_64: PASSED
    • s390x: PASSED
    • aarch64: PASSED
  • 15-SP2:
    • x86_64: PASSED
    • s390x: PASSED
    • aarch64: PASSED

#15 Updated by pstivanin 2 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF