Hi all,
I enabled FIPS-mode on my Fedora 33 machine (fips-mode-setup --enable; reboot) and it all looks fine except printing using Cups. Printing will throw an error:
Process 10708 (bannertopdf) of user 4 dumped
core.
Stack trace of thread 10708:
#0
0x00007f4d169d89d5 raise (libc.so.6 + 0x3d9d5)
#1
0x00007f4d169c18a4 abort (libc.so.6 + 0x268a4)
#2
0x00007f4d16c1f926
_ZN9__gnu_cxx27__verbose_terminate_handlerEv.cold
(libstdc++.so.6 + 0x9e926)
#3
0x00007f4d16c2b1ac _ZN10__cxxabiv111__terminateEPFvvE
(libstdc++.so.6 + 0xaa1ac)
#4
0x00007f4d16c2b217 _ZSt9terminatev (libstdc++.so.6 + 0xaa217)
#5
0x00007f4d16c2b4c9 __cxa_throw (libstdc++.so.6 + 0xaa4c9)
#6
0x00007f4d16da64e2 _ZN17QPDFCrypto_gnutls8MD5_initEv.cold
(libqpdf.so.28 + 0x3d4e2)
#7
0x00007f4d16dafaa1 _ZN3MD5C1Ev (libqpdf.so.28 + 0x46aa1)
#8
0x00007f4d16e17c67
_ZN4QPDF16compute_data_keyERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEiibii
(libqpdf.so.28 + 0xaec67)
#9
0x00007f4d16dfe538 _ZN10QPDFWriter10setDataKeyEi (libqpdf.so.28
+ 0x95538)
#10
0x00007f4d16e048fe
_ZN10QPDFWriter11writeObjectE16QPDFObjectHandlei (libqpdf.so.28
+ 0x9b8fe)
#11
0x00007f4d16e0f8df _ZN10QPDFWriter5writeEv (libqpdf.so.28 +
0xa68df)
#12
0x000055e157a50c89 generate_banner_pdf (bannertopdf + 0x8c89)
#13
0x000055e157a4c559 main (bannertopdf + 0x4559)
#14
0x00007f4d169c31e2 __libc_start_main (libc.so.6 + 0x281e2)
#15
0x000055e157a4c9ee _start (bannertopdf + 0x49ee)
mrt 23 11:56:06 xxx cupsd[1870]: Job stopped due to filter
errors; please consult the syslog file for details.
Disabling FIPS will make it work again.
Running bannertopdf gives a clue why it is not allowed when using FIPS. It uses MD% which is not allowed in FIPS:/usr/lib/cups/filter/bannertopdf 1 xxx '' 1
'' </usr/share/cups/data/testprint >bannertopdf.pdf
DEBUG: PDF template file doesn't have form. It's okay.
terminate called after throwing an instance of
'std::runtime_error'
what(): gnutls: MD5 error: An algorithm that is not enabled
was negotiated.
Aborted (core dumped)
Any idea how to fix this? Or since Cups seems problematic for FIPS, bypass FIPS for Cups only?
There is an interesting Bugzilla voor RHEL8 on this (https://bugzilla.redhat.com/show_bug.cgi?id=1650233) but I can't find out whether or not this is fixed for Fedora.
Winfried
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
