Bug #23054
Updated by François ARMAND 10 months ago
On Oracle Linux 8 on a FIPS system (STIG installation or something like that), the rudder agent fails with segfault during policy update
The same rules on an Oracle Linux 9 does not break the rudder agent
Update:
- the problem is that FIPS forbids MD5 and that CFEngine uses MD5 to create the node identifier (by key pinning)
- in Oracle 8 we use the system openssl while in Oracle 9 we embed one, so that's why there's a difference in observed behavior
- the workaround would be to also embed openssl in Oracle 8
- the correction is to make CFEngine able to use both MD5 (for compat and migration) and SHA2.