I have Ubuntu 18.04 FIPS running via cloud provider marketplace image. Recently the libssl1.1 package was updated, from libssl1.1/now 1.1.1-1ubuntu2.fips.2.1~18.04.3.1 to 1.1.1-1ubuntu2.fips.2.1~18.04.6.2 amd64.
After this update was applied, connecting to the system via ssh -o KexAlgorithms=diffie-hellman-group-exchange-sha256 user@host fails, with the following in the ssh server log:
Nov 10 00:04:05 <name redacted> sshd[24359]: FIPS mode initialized
Nov 10 00:04:05 <name redacted> sshd[24359]: ssh_dispatch_run_fatal: Connection from <ip redacted> port 12076: error in libcrypto [preauth]
I looked in the changelog for the package and did not note anything that directly applied to this algorithm. It looks like unintended behavior.
We require this KEX algorithm because it is the only one with overlap from a system we do not have control of.
Anyone else run into this?
The old version does not appear in the output of apt-list -a, apt-cache madison, and downgrade attempts do not work.
Bookmarks