New OpenSSL requirements in RHEL 9 in fips mode [RHSA-2023:3722-01], cannot connect to Chef Server anymore with no EMS support

[breisig]

Chef Server Version

Chef Server 15.7.0 el9

Platform Details

Rocky Linux 9.2 / RHEL 9.2

Scenario

After RHEL 9/Rocky Linux 9 released

Steps to Reproduce

RHEL/Rocky Linux/Alama Linux 9 has released security update RHSA-2023:3722-01 [ https://lwn.net/Articles/935817/ ] which prevents clients (who are also in fips mode) from connecting to the Chef server when running in FIPS mode. The new updates forces EMS support which is ONLY supported in Openssl 1.1+ or higher and won't work with Opensll 1.0.xx which has already been deprecated for awhile. Since Chef Server [chef-server-core-15.7.0-1.el9.x86_64.rpm or chef-server-core-15.7.0-1.el8.x86_64.rpm] is using it's own openssl 1.0.x version which is not compatible as stated in the RHEL release notes [ https://access.redhat.com/solutions/7018256 ]

/opt/opscode/embedded/sbin/nginx -V
nginx version: openresty/1.21.4.1rc1
built with OpenSSL 1.0.2zg-fips  7 Feb 2023
TLS SNI support enabled
configure arguments: --prefix=/opt/opscode/embedded/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2 -L/opt/opscode/embedded/lib -I/opt/opscode/embedded/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.21rc1 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.11rc1 --with-ld-opt='-Wl,-rpath,/opt/opscode/embedded/luajit/lib -L/opt/opscode/embedded/lib -Wl,-rpath,/opt/opscode/embedded/lib -lssl -lcrypto -ldl -lz' --sbin-path=/opt/opscode/embedded/sbin/nginx --conf-path=/opt/opscode/embedded/conf/nginx.conf --with-http_ssl_module --with-http_stub_status_module --with-md5-asm --with-sha1-asm --with-pcre-jit --without-http_ssi_module --without-mail_smtp_module --without-mail_imap_module --without-mail_pop3_module --with-http_v2_module --with-ipv6 --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module

The integrated OpenSSL version in Chef for nginx needs to be upgraded and it currently blocks everything.

Expected Result

Show just works.

Actual Result

When manually trying to connect via curl when the client is set to fips and using the newer openssl version.

curl -v -k https://myserver.test.com/health --tls-max 1.2
*   Trying 10.1.3.22:443...
* Connected to myserver.test.com (10.1.3.22) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, handshake failure (552):
* error:1C8000E9:Provider routines::ems not enabled
* Closing connection 0
curl: (35) error:1C8000E9:Provider routines::ems not enabled