Thank you all for working on this. However, I have a question about how it will be rolled out in production.
The fix, from my understanding, is to change the SALT from 8 to 16 bytes. In order to do this, FIPS has to be off, and all the mailboxes reset their passwords first. Then re-enable FIPS. Is this correct? If so, then this will work for new installations implementing FIPS and encrypted mailboxes. However, in our scenario with existing service, we don't really have the luxury of either. FIPS is a requirement. Additionally, we have a large number (well over 50,000 mailboxes) that are "recipient" mailboxes and not specifically "user" mailboxes. (this is due to our particular usage of dovecot). We have no control of when a message is sent through our service to a recipient, nor when a recipient may log in to read the message. A mailbox may have a single message sent to them sometime in the past year or they may have hundreds of messages. I wonder if there is perhaps some way to implement some split-version logic in determining which SALT to use (8 vs 16) while keeping FIPS enabled and new messages be sent to recipients until such time as they log in and reset their password. Is that even possible to implement within OpenSSL or would that require an upstream item from them in OpenSSL 3.x since it is OpenSSL that is requiring the 16 byte SALT? Additionally, there's at least two use cases of this issue. Our own issue, and the other individual who's issue I linked to in my original ticket. Who knows who else may not have gotten around to upgrading 20.04 to 22.04 FIPS, since it is still relatively new, and do not realize that this is currently a breaking change in the upgrade. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107773 Title: [SRU] Enabling FIPS causes SALT to be 8 bytes, but OpenSSL 3.0.2 checks if SALT is < 16 bytes, breaking Dovecot and possibly other packages. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2107773/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
