-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Basic128Rsa15 and Basic256 with OpenSSL are broken on RHEL 9 #5938
Comments
33 tasks
Check if fixed via ##5937. |
@basyskom-jvoe can this be closed after #5937? |
@jpfr I don't have access to RHEL 9 at the moment. I'll try to check this soon. |
@jpfr The problem is still present with v1.4.1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Due to the decision to disable SHA-1 signatures in OpenSSL on RHEL 9 (see here), the two security policies Basic128Rsa15 and Basic256 no longer work on that platform.
Building and linking works without any problem but a a runtime error occurs:
Sending OPN message failed with error BadInternalError
.This error message is generated by
EVP_DigestSignInit()
inUA_Openssl_RSA_Private_Sign()
failing witherror:03000098:digital envelope routines::invalid digest
whenEVP_sha1()
is passed.If there should be no way to bring back the support by using different API from OpenSSL, it would be nice if a way could be found to detect this situation and exclude the two broken security policies from the build.
For the open62541 plugin in Qt OPC UA, I am currently implementing an approach where I attempt to call
EVP_DigestSignInit()
as open62541 does it and exclude the two policies from the list of supported policies if the call fails.But for open62541, it would be better to have a solution where this is detected during configuration so the corresponding API can be exluded from the build via
#ifdef
.Steps to reproduce
UA_ENABLE_ENCRYPTION=OPENSSL
andUA_BUILD_UNIT_TESTS=ON
The following output will be shown:
Without access to RHEL 9, the problem can also be reproduced with a current Fedora by setting the environment variable
OPENSSL_FORCE_FIPS_MODE
while running the unit tests.The text was updated successfully, but these errors were encountered: