Re: Fedora 33 - FIPS - Cups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 23 Mar 2021 12:17:09 +0100
Winfried de Heiden <wdh@xxxxxx> wrote:
> I enabled FIPS-mode on my Fedora 33 machine (fips-mode-setup
> --enable; reboot) and it all looks fine except printing using Cups.
> Printing will throw an error:
> 
> Process 10708 (bannertopdf) of user 4 dumped core.

[snip]

> Disabling FIPS will make it work again.
> 
> Running bannertopdf gives a clue why it is not allowed when using
> FIPS. It uses MD% which is not allowed in FIPS:
> 
> /usr/lib/cups/filter/bannertopdf 1 xxx '' 1 '' 
> </usr/share/cups/data/testprint >bannertopdf.pdf
> DEBUG: PDF template file doesn't have form. It's okay.
> terminate called after throwing an instance of 'std::runtime_error'
>    what():  gnutls: MD5 error: An algorithm that is not enabled was 
> negotiated.
> Aborted (core dumped)
> 
> Any idea how to fix this? Or since Cups seems problematic for FIPS, 
> bypass FIPS for Cups only?
> 
> There is an interesting Bugzilla voor RHEL8 on this 
> (https://bugzilla.redhat.com/show_bug.cgi?id=1650233) but I can't
> find out whether or not this is fixed for Fedora.

Caveat: I have no specific domain knowledge about this issue, just
using general reasoning to dissect the problem.

It seems that the idea discussed in this part of the bugzilla you
linked has not been implemented.

https://bugzilla.redhat.com/show_bug.cgi?id=1650233#c26

Thus,
... it seems impossible to make cups FIPS compliant ...
also in that bugzilla.

For now, it seems you have to bypass FIPS for Cups.  I would suggest
opening a new bugzilla with the information from this post, the link to
the previous bugzilla, and asking whether it is / can be fixed, or if
there is already a configuration workaround in place.

Open it against Cups.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux