Fatal FIPS Selftest Failures
This document (7016637) is provided subject to the disclaimer at the end of this document.
Environment
Federal Information Processing Standards (FIPS)
Situation
OpenSSH fails to start with the following errors:sshd-gen-keys-start[1033]: fips.c(137): OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
systemd[1]: Failed to start OpenSSH Daemon.
Other errors include:
wicked: Libgcrypt error: integrity check using '/usr/lib64/.libgcrypt.so.20.hmac' failed: No such file or directory
wicked: Libgcrypt notice: state transition Self-Test => Error
wicked: __ni__hashctx_new: gcry_md_open failed
wicked: cannot generate uuid for lo config - hashing failed
wicked: cannot generate uuid for eth0 config - hashing failed
# cat /proc/sys/crypto/fips_enabled
shows 1
# cat /proc/cmdline
includes fips=1
Running rpm -qa | grep fips
shows only libfipscheck1
and fipscheck
packages installed.
Resolution
1. Reboot the server without the fips=1
kernel option.
2. Install the "FIPS 140-2 specific packages" pattern via YaST or use zypper install patterns-sles-fips
3. Reconfigure FIPS. (See TID7016636 - FIPS installed but not working)
4. Reboot the server with fips=1
kernel option.
Cause
Additional Information
Other options to resolve the error: OpenSSL internal error, assertion failed: FATAL FIPS SELFTEST FAILURE
Remove any hmac-
related RPMs or files.
rpm -qa | grep hmac
Check and removed:
rm /lib/.libssl.so.1.0.0.hmac
rm /lib/.libcrypto.so.1.0.0.hmac
rm /lib64/.libssl.so.1.0.0.hmac
rm /lib64/.libcrypto.so.1.0.0.hmac
rm /usr/lib64/.libgcrypt.so.20.hmac
rm /usr/lib/.libgcrypt.so.20.hmac
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7016637
- Creation Date: 26-Jun-2015
- Modified Date:25-Apr-2025
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com