http://bugzilla.suse.com/show_bug.cgi?id=1022874 http://bugzilla.suse.com/show_bug.cgi?id=1022874#c1 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |holgerbruenjes@gmx.net, | |meissner@suse.com Assignee|bnc-team-screening@forge.pr |vcizek@suse.com |ovo.novell.com | Flags| |needinfo?(holgerbruenjes@gm | |x.net) --- Comment #1 from Marcus Meissner --- do i understand right that you rebuilt this openssl on your own? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1022874 http://bugzilla.suse.com/show_bug.cgi?id=1022874#c3 Vítězslav Čížek changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vcizek@suse.com --- Comment #3 from Vítězslav Čížek --- (In reply to Holger Bruenjes from comment #0)

with patch 41 Patch41: openssl-fips-dont_run_FIPS_module_installed.patch

if the hmac files .libcrypto.so.1.0.0.hmac .libssl.so.1.0.0.hmac

installed and no CRYPTO_FIPS enabled openssl is brocken

I don't fully understand your setup, could you tell us more, how do you build openssl? And what is CRYPTO_FIPS here? I can't find such symbol anywhere. Couldn't the fips selftest failure be caused by incorrect .hmac files?

in this situation Patch56: openssl-fips-selftests_in_nonfips_mode.patch has no effect,

is worked for all releases before without the Patch41

In 1.0.2 it could have worked because due to bug 982268, the fips selftests weren't run at all. See below. (In reply to Holger Bruenjes from comment #2)

I participate from the excellent work of the suse maintainer and rebuild the src.rpm on 'eisfair'. In the last years I have no problems with this source and now the openssl lib bailed out. I can not read (bsc#982268), Access Denied; You are not authorized to access bug #982268.

Bug 982268 was about skipping fips initialization entirely, because we don't ship /etc/system-fips. Patch openssl-fips-dont_run_FIPS_module_installed.patch was added to reinstate the fips init. With it, openssl should behave as it did in the 1.0.1 version. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1022874 http://bugzilla.suse.com/show_bug.cgi?id=1022874#c5 --- Comment #5 from Marcus Meissner --- I think you are building openssl without the "fips" configure option. right? This translates to the CRYPTO_FIPS define in openssl. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1022874 http://bugzilla.suse.com/show_bug.cgi?id=1022874#c7 --- Comment #7 from Holger Bruenjes --- now, I can catch it On my old box a 32bit system, I installed OpenSUSE-13.2 and I only updated OpenSSL, libopenssl1_0_0 and then I installed libopenssl1_0_0-hmac from zypper addrepo http://download.opensuse.org/repositories/Apache:Next/openSUSE_13.2/Apache:N... I run wget and openssl crashed and no connect with ssh. ssh_exchange_identification: read: Connection reset by peer I must kill the hmac files by hand now with zypper rm libopenssl1_0_0-hmac... I open a ssh session before I new install the hmac files Last login: Mon Feb 27 21:02:06 2017 Have a lot of fun... linux-c3vj:~ # wget fips.c(484): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE Abgebrochen linux-c3vj:~ # lscpu Architektur: i686 CPU op-mode(s): 32-bit Byte-Reihenfolge: Little Endian CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) pro Kern: 1 Kern(e) pro Socket: 1 Socket(s): 2 Anbieterkennung: GenuineIntel Prozessorfamilie: 6 Modell: 7 Modellname: Pentium III (Katmai) Stepping: 3 CPU MHz: 498.662 BogoMIPS: 997.41 linux-c3vj:~ # openssl version fips.c(484): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE Abgebrochen linux-c3vj:~ # zypper rm libopenssl1_0_0-hmac-1.0.2k-3.1.i586 fips.c(484): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE Abgebrochen I must kill them by hand linux-c3vj:~ # rm /lib/.libssl.so.1.0.0.hmac linux-c3vj:~ # rm /lib/.libcrypto.so.1.0.0.hmac linux-c3vj:~ # zypper rm libopenssl1_0_0-hmac-1.0.2k-3.1.i586 Daten des Repositories laden ... Installierte Pakete lesen ... Paketabhängigkeiten auflösen ... Das folgende Paket wird GELÖSCHT: libopenssl1_0_0-hmac 1 zu entfernendes Paket. Nach dem Vorgang werden 130,0 B freigegeben. Fortfahren? [j/n/? zeigt alle Optionen] (j): linux-c3vj:~ # openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.suse.com/show_bug.cgi?id=1022874 http://bugzilla.suse.com/show_bug.cgi?id=1022874#c9 Vítězslav Čížek changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX Flags|needinfo?(holgerbruenjes@gm | |x.net) | --- Comment #9 from Vítězslav Čížek --- I'm going to close this bug. 13.2 is not supported anymore and the Tumbleweed 1.0.2 seems to work fine for you. Please reopen it in case it's a problem on newer distributions. -- You are receiving this mail because: You are on the CC list for the bug.