We had a fully patched RHEL 7.4 server, and ran the following commands on it (based on the article found here, which requires a Red Hat account to look at: https://access.redhat.com/solutions/137833 ):
yum install dracut-fips grep -qw aes /proc/cpuinfo && echo YES || echo no # If the above grep returns YES: yum install dracut-fips-aesni rpm -q prelink mv -v /boot/initramfs-$(uname -r).img{,.bak} dracut grubby --update-kernel=$(grubby --default-kernel) --args=fips=1 uuid=$(findmnt -no uuid /boot) echo $uuid [[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid} reboot sysctl crypto.fips_enabled sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub uuid=$(findmnt -no uuid /boot) echo $uuid [[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub reboot Thanks, Harry From: Nick Couchman [mailto:vn...@apache.org] Sent: Wednesday, January 24, 2018 11:54 AM To: user@guacamole.apache.org Subject: Re: Connection failures On Wed, Jan 24, 2018 at 10:55 AM, <harry.dev...@faa.gov<mailto:harry.dev...@faa.gov>> wrote: As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant yet, and was able to get right in. So the FIPS 140-2 is definitely the issue. So I need to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2. I’m not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the RHEL 7.4 patch trail. Can you remind/post the changes made to make the SSH server FIPS 140-2 compliant? You may have already posted it, so apologies if that's a repeat, but I can try to reproduce and see what happens. I do not believe there is anything in Guacamole specifically that deals with this, it should all be in libssh2, but we can take a look. -Nick