View Issue Details

IDProjectCategoryView StatusLast Update
0017653CentOS-7ipmitoolpublic2020-08-13 11:20
ReporterAlexanderAmelkin 
PriorityurgentSeverityblockReproducibilityalways
Status newResolutionopen 
Product Version7.0-1406 
Target VersionFixed in Version 
Summary0017653: ipmitool fails to connect to modern OpenBMC due to error in cipher suite matching
DescriptionA lot of servers is using OpenBMC stack for their management controllers.
Some time ago the OpenBMC project has dropped support for cipher suite 3 due to its insecurity.
Before that happened, the upstream ipmitool has been updated and a bug that prevented proper cipher suite negotiation has been fixed there.
However, those commits have not been imported yet to the CentOS 7 ipmitool package. That results in CentOS 7 ipmitool failing to authenticate over lanplus interface to any modern OpenBMC-driven controllers.
Steps To ReproduceUsing ipmitool-1.8.18-7.el7.x86_64.rpm or ipmitool-1.8.18-9.el7.x86_64.rpm try to query any modern OpenBMC-driven BMC and observe an error:

```
$ ipmitool -H <openbmc_ip_address> -I lanplus -U <username> -P <password> mc info
Error in open session response message : invalid authentication algorithm

Error: Unable to establish IPMI v2 / RMCP+ session
```
Additional InformationOpenBMC commit that dropped cipher suite 3:
https://github.com/openbmc/openbmc/commit/a95e4a952c182380b98edcd8d4f615faabb8af95

Upstream ipmitool commits that fix the issue:
https://github.com/ipmitool/ipmitool/commit/7772254b62826b894ca629df8c597030a98f4f72 lanplus: Auto-select 'best' cipher suite available
https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4 channel: Fix buffer overflow
TagsOpenBMC
abrt_hash
URL

Activities

ManuelWolfshant

ManuelWolfshant

2020-08-07 23:09

manager   ~0037507

CentOS is a rebuild of the sources used to create RHEL and aims to reproduce RHEL bug for bug and feature for feature. Please submit your request to Redhat via bugzilla.redhat.com and if/when RH accepts it and incorporates it into RHEL and releases a patched version, then CentOS will pick it up automatically. Since RHEL 7.9 is around the corner, at best the change you've requested might be implemented in RHEL 7.10 However RHEL 7 is already in maintenance mode so this change might get rejected.

For easier tracking, please crosslink this bug with the one opened at bugzilla.redhat.com.
AlexanderAmelkin

AlexanderAmelkin

2020-08-13 11:11

reporter   ~0037535

Thanks. Created a bug report in RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1868637

Issue History

Date Modified Username Field Change
2020-08-07 18:35 AlexanderAmelkin New Issue
2020-08-07 18:35 AlexanderAmelkin Tag Attached: OpenBMC
2020-08-07 23:09 ManuelWolfshant Note Added: 0037507
2020-08-13 11:11 AlexanderAmelkin Note Added: 0037535