Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix compatibility with FIPS-enabled Jammy BOSH stemcells #178

Merged
merged 2 commits into from
Dec 22, 2023
Merged

Fix compatibility with FIPS-enabled Jammy BOSH stemcells #178

merged 2 commits into from
Dec 22, 2023

Conversation

peterhaochen47
Copy link
Member

[Fixes #174]

@cf-gitbot
Copy link
Collaborator

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

@peterhaochen47
Delete unnecessary use of openssl legacy mode
5c9ceb0 
- As the original PR
  (#66) and commit
  message explain, this legacy mode is only needed when using java 8.
  Since we have upgrade to java 17. This legacy mode is no longer
  needed.

[#186629315]
@peterhaochen47 peterhaochen47 force-pushed the pr/main/fix-fips-stemcell-compatibility branch from 7af09f0 to 5c9ceb0 Compare December 21, 2023 06:48
@peterhaochen47
Fix pre-start.erb for Jammy FIPS stemcell (#174)
6646c26 
- algorithm "PBE-SHA1-3DES" is not available on FIPS Jammy (OpenSSL 3.0.2 / Ubuntu 22.04.3 LTS), error:
```
Error creating PKCS12 structure for cert.p12
error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (PKCS12KDF : 0), Properties (<null>)
error:1180006B:PKCS12 routines:PKCS12_PBE_keyivgen_ex:key gen error:../crypto/pkcs12/p12_crpt.c:55:
error:11800067:PKCS12 routines:PKCS12_item_i2d_encrypt_ex:encrypt error:../crypto/pkcs12/p12_decr.c:191:
error:11800067:PKCS12 routines:PKCS12_pack_p7encdata_ex:encrypt error:../crypto/pkcs12/p12_add.c:127:
```
- so use the "-nomac" option instead as recommended on https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html#NOTES
- see a similar fix in uaa-release: cloudfoundry/uaa-release@5a57378

[#186629315]
@peterhaochen47 peterhaochen47 changed the title [WIP - do not merge] Fix compatibility with FIPS-enabled Jammy BOSH stemcells Fix compatibility with FIPS-enabled Jammy BOSH stemcells Dec 21, 2023
@peterhaochen47 peterhaochen47 marked this pull request as ready for review December 21, 2023 07:17
@hsinn0 hsinn0 merged commit 3a25950 into main Dec 22, 2023
4 checks passed
@hsinn0
Copy link
Contributor

hsinn0 commented Dec 22, 2023

OK, so this PR also contains the change in #177. @peterhaochen47, will you assign PR 177 to yourself, to comment & close.

@hsinn0 hsinn0 deleted the pr/main/fix-fips-stemcell-compatibility branch December 22, 2023 00:43
@peterhaochen47 peterhaochen47 mentioned this pull request Dec 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

credhub-release fails on FIPS compliant Jammy stemcell
3 participants
@peterhaochen47 @cf-gitbot @hsinn0