ssl_params error on RHEL7 FIPS enabled
All,
The machine I’m running dovecot on is: RHEL7.9 3.10.0-1160.31.1.el7.x86_64
I can run Systemctl restart dovecot then status or /usr/libexec/dovecot/ssl-params and I get the following error.
Info: Generating SSL parameters Fatal: ssl_iostream_generate_params(4096) failed: DH_generate_parameters(bits=512, gen=2) failed: error:0506A06E:lib(5):func(106):reason(110), error 0506A003:lib(5):func(106):reason(3) Error: child process failed with status 22784
I can generate a diffie-hellman pem with openssl dhparam -out /etc/dovecot/dh.pem 4096 But dovecot 2.2.36 does not have the option of telling it where the dh.pem file is located in the config like version 2.3 does. Is my error related to FIPS and is there a way around it?
My dovecot version is: Dovecot version 2.2.36 release 8.el7
Thanks in advance to anyone willing to help out, I know it’s voluntary 🙏
Thanks, bpartin2009
Sent from my iPhone
There have been multiple submitted fixes to this, I submitted a fix to Redhat myself. And they are not willing to add it to their EL7 at this point.
From: dovecot dovecot-bounces@dovecot.org on behalf of Brad Partin bpartin2009@gmail.com Date: Thursday, August 19, 2021 at 12:39 PM To: "dovecot@dovecot.org" dovecot@dovecot.org Subject: ssl_params error on RHEL7 FIPS enabled
[External Email]
All,
The machine I’m running dovecot on is: RHEL7.9 3.10.0-1160.31.1.el7.x86_64
I can run Systemctl restart dovecot then status or /usr/libexec/dovecot/ssl-params and I get the following error.
Info: Generating SSL parameters Fatal: ssl_iostream_generate_params(4096) failed: DH_generate_parameters(bits=512, gen=2) failed: error:0506A06E:lib(5):func(106):reason(110), error 0506A003:lib(5):func(106):reason(3) Error: child process failed with status 22784
I can generate a diffie-hellman pem with openssl dhparam -out /etc/dovecot/dh.pem 4096 But dovecot 2.2.36 does not have the option of telling it where the dh.pem file is located in the config like version 2.3 does. Is my error related to FIPS and is there a way around it?
My dovecot version is: Dovecot version 2.2.36 release 8.el7
Thanks in advance to anyone willing to help out, I know it’s voluntary 🙏
Thanks, bpartin2009
Sent from my iPhone
participants (2)
-
Brad Partin
-
Martin Olsen