On Tue, 23 Mar 2021 12:17:09 +0100 Winfried de Heiden <wdh@xxxxxx> wrote: > I enabled FIPS-mode on my Fedora 33 machine (fips-mode-setup > --enable; reboot) and it all looks fine except printing using Cups. > Printing will throw an error: > > Process 10708 (bannertopdf) of user 4 dumped core. [snip] > Disabling FIPS will make it work again. > > Running bannertopdf gives a clue why it is not allowed when using > FIPS. It uses MD% which is not allowed in FIPS: > > /usr/lib/cups/filter/bannertopdf 1 xxx '' 1 '' > </usr/share/cups/data/testprint >bannertopdf.pdf > DEBUG: PDF template file doesn't have form. It's okay. > terminate called after throwing an instance of 'std::runtime_error' > what(): gnutls: MD5 error: An algorithm that is not enabled was > negotiated. > Aborted (core dumped) > > Any idea how to fix this? Or since Cups seems problematic for FIPS, > bypass FIPS for Cups only? > > There is an interesting Bugzilla voor RHEL8 on this > (https://bugzilla.redhat.com/show_bug.cgi?id=1650233) but I can't > find out whether or not this is fixed for Fedora. Caveat: I have no specific domain knowledge about this issue, just using general reasoning to dissect the problem. It seems that the idea discussed in this part of the bugzilla you linked has not been implemented. https://bugzilla.redhat.com/show_bug.cgi?id=1650233#c26 Thus, ... it seems impossible to make cups FIPS compliant ... also in that bugzilla. For now, it seems you have to bypass FIPS for Cups. I would suggest opening a new bugzilla with the information from this post, the link to the previous bugzilla, and asking whether it is / can be fixed, or if there is already a configuration workaround in place. Open it against Cups. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure