[ale] Libgcrypt warning: MD5 used - FIPS mode inactivated

Adrya Stembridge adrya.stembridge at gmail.com
Thu Aug 13 10:36:42 EDT 2015 

I'm at my wits end with an oddball problem involving libgcrypt.   I
activated the FIPS module on a CentOS 6.7 machine and am getting a
libgcrypt warning when using certain resources (mail and tsql for example).


*Steps to reproduce: *

Enable openSSH FIPS 140-2 module using these instructions
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html>
.

1) edit /etc/sysconfig/prelink and set PRELINKING=NO. Issue prelink -u -a
at a prompt.
2) yum install dracut-fips
3) dracut -f
4) add "fips=1" and "boot=/dev/sda3" to kernel line of grub.conf. df /boot
revealed the correct boot partion.
5) ensure /etc/ssh/sshd_config is configured with:

Protocol 2
Ciphers
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512


After rebooting, I confirmed that FIPS mode is enabled by usingopenssl md5
somefile (fails) andopenssl sha1 somefile (succeeds)Also:

$ cat /proc/sys/crypto/fips_enabled
1
Finally, knowing that FIPS is enabled, I attempted to connect to a remote
SQL Server instance with a config that worked prior to enabling FIPS:[mybox
~]# tsql -S egServer80 -U myusername
Password:
locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
    Adaptive Server connection failed
There was a problem connecting to the server
I checked the log files and find this:tsql: Libgcrypt warning: MD5 used -
FIPS mode inactivatedEnabling debug in freetds yielded this additional
error:14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS
internal error.

Additional Information:
Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting
sets things back to normal (I was able to tsql into my SQL Server instance
again).

I can reproduce the same libgcrypt/tsql error without enabling FIPS 140-2
module in grub, by creating an empty file /etc/gcrypt/fips_enabled.
Removing this file sets the system back to normal, and tsql works again.

CentOS version 6.7
libgcrypt version 1.4.5
freetds version 0.91
openssl version 1.0.1e


Why (or how) is enabling FIPS in grub (or creating
/etc/gcrypt/fips_enabled) causing
`libgcrypt` to fail on this machine?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150813/c375ae3e/attachment.html>

More information about the Ale mailing list