RDM 2024.1.2.3-1 for Fedora 40 in FIPS mode Cryptography error
RDM 2024.1.2.3-1 for Fedora 40 in FIPS mode Cryptography error
In trying to connect to an existing Google Drive configuration (created with Windows version) from linux, I get the following error:
OpenSslCryprographicException - error:0308010C:digital envelope routines::unsupported at Interop.Crypto.CheckValidOpenSslHandle(SafeHandle handle) at System.Security.Cryptography.TripleDesImplementation.CreateTransform(Byte[] rgbKey, Byte[] rgbIV, Boolean encrypting) at Devolutions.Utils.ObfuscationUtils.GetEncryptorTransform(String key) at Devolutions.Utils.ObfuscationUtils.ObfuscateInternal(Byte[] bytes, String key) at Devolutions.Utils.ObfuscationUtils.Obfuscate(Byte[] bytes, String key) at Devolutions.RemoteDesktopManager.Business.RDPConnection.set_Password(String value) at Client.Views.Connections.ConnectionSettings.RDPConnectionSettingsView.SaveInConnection(Connection connectionToSave) at Client.Windows.ConnectionSettings.BaseConnectionSettingsWindow.Save() at InvokeStub_EventHandler.Invoke(Object, Span`1) at System.Reflection.MethodBaseInvoker.InvokeWithFewArgs(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
Also:
# update-crypto-policies --show FIPS:AD-SUPPORT:SHA1 # fips-mode-setup --check FIPS mode is enabled. Initramfs fips module is enabled. The current crypto policy (FIPS:AD-SUPPORT:SHA1) is based on the FIPS policy. #
Any troubleshooting steps I can take, please let me know.
Thank you in advance!
All Comments (7)
Hello,
I have created a ticket, and we will investigate this issue. We will keep you updated.
Regards,
Gabriel Dubois
Hello,
I have created a ticket, and we will investigate this issue. We will keep you updated.
Gabriel,
Thank you very much!
Hi,
It would appear that the openssl installation on your machine does not support the necessary protocols.
Would you be able to run openssl version and openssl list -digest-algorithms so i can see
what version of oppenssl is installed and what algorithms are supported ?
Cheers,
David Ringuet
David,
You bet - please see:
# openssl version
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)
# openssl list -digest-algorithms
Legacy:
RSA-MD4 => MD4
RSA-MD5 => MD5
RSA-RIPEMD160 => RIPEMD160
RSA-SHA1 => SHA1
RSA-SHA1-2 => RSA-SHA1
RSA-SHA224 => SHA224
RSA-SHA256 => SHA256
RSA-SHA3-224 => SHA3-224
RSA-SHA3-256 => SHA3-256
RSA-SHA3-384 => SHA3-384
RSA-SHA3-512 => SHA3-512
RSA-SHA384 => SHA384
RSA-SHA512 => SHA512
RSA-SHA512/224 => SHA512-224
RSA-SHA512/256 => SHA512-256
RSA-SM3 => SM3
BLAKE2b512
BLAKE2s256
id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
MD4
md4WithRSAEncryption => MD4
MD5
MD5-SHA1
md5WithRSAEncryption => MD5
ripemd => RIPEMD160
RIPEMD160
ripemd160WithRSA => RIPEMD160
rmd160 => RIPEMD160
SHA1
sha1WithRSAEncryption => SHA1
SHA224
sha224WithRSAEncryption => SHA224
SHA256
sha256WithRSAEncryption => SHA256
SHA3-224
SHA3-256
SHA3-384
SHA3-512
SHA384
sha384WithRSAEncryption => SHA384
SHA512
SHA512-224
sha512-224WithRSAEncryption => SHA512-224
SHA512-256
sha512-256WithRSAEncryption => SHA512-256
sha512WithRSAEncryption => SHA512
SHAKE128
SHAKE256
SM3
sm3WithRSAEncryption => SM3
ssl3-md5 => MD5
ssl3-sha1 => SHA1
whirlpool
Provided:
{ 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
{ 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ default
{ 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
{ 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
{ 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
{ 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
{ 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ default
{ 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
{ 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
{ 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
{ 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
{ 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
{ 2.16.840.1.101.3.4.2.10, SHA3-512 } @ fips
{ 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ fips
{ 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ fips
{ 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ fips
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ fips
{ 2.16.840.1.101.3.4.2.9, SHA3-384 } @ fips
{ 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ fips
{ 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ fips
{ 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ fips
{ 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ fips
{ 2.16.840.1.101.3.4.2.8, SHA3-256 } @ fips
{ 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ fips
{ 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ fips
#
Thank you!
Hi again !
Recently, certain components of Remote Desktop Manager have encountered compatibility issues with Fedora's FIPS mode.
We are actively investigating solutions to address this issue.
Regards,
David Ringuet
Hi,
Unfortunately we figured out that one of the algorithm we use for obfuscation ( TripleDES ) is not supported by FIPS since early 2024.
We will not be able to provide a solution for this issue on our end since it would require an overwhelming amount of work.
You might be able to use RDM if you can enable TripleDES in your supported algorithms policy.
Regards,
David Ringuet
Hi,
Unfortunately we figured out that one of the algorithm we use for obfuscation ( TripleDES ) is not supported by FIPS since early 2024.
We will not be able to provide a solution for this issue on our end since it would require an overwhelming amount of work.
You might be able to use RDM if you can enable TripleDES in your supported algorithms policy.
Regards,
Understood - thank you very much for looking into it!