[ale] Libgcrypt warning: MD5 used - FIPS mode inactivated
Crawford Rainwater
crawford.rainwater at linux-etc.com
Thu Aug 13 12:21:13 EDT 2015
(My apologies in advance for any delayed responses as I receive the ALE lists in Digest format.)
Adrya:
I had a similar issue, though using authenticated NTP services. MD5 I believe is not a valid FIPS 140-2 method. You would have to use another like SHA/SHA1 potentially. This was documented in one of the RHEL6 NTP packages "man pages" for creating the NTP authentication key on the server side, though I do not recall the actual package or "man <command>" I used to see the big "FIPS 140-2" notation regarding MD5 is not approved. I admit, seeing that notation was indeed finding the proverbial needle in a haystack as well.
HTH.
--- Crawford
The Linux ETC Company
10121 Yates Court
Westminster, CO 80031 USA
voice: +1.303.604.2550
web: http://www.linux-etc.com
----- ale-request at ale.org wrote:
> 30. Libgcrypt warning: MD5 used - FIPS mode inactivated
> (Adrya Stembridge)
> ------------------------------
>
> Message: 30
> Date: Thu, 13 Aug 2015 10:36:42 -0400
> From: Adrya Stembridge <adrya.stembridge at gmail.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: [ale] Libgcrypt warning: MD5 used - FIPS mode inactivated
>
> I'm at my wits end with an oddball problem involving libgcrypt. I
> activated the FIPS module on a CentOS 6.7 machine and am getting a
> libgcrypt warning when using certain resources (mail and tsql for example).
>
>
> *Steps to reproduce: *
>
> Enable openSSH FIPS 140-2 module using these instructions
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html>
> .
>
> 1) edit /etc/sysconfig/prelink and set PRELINKING=NO. Issue prelink -u -a
> at a prompt.
> 2) yum install dracut-fips
> 3) dracut -f
> 4) add "fips=1" and "boot=/dev/sda3" to kernel line of grub.conf. df /boot
> revealed the correct boot partion.
> 5) ensure /etc/ssh/sshd_config is configured with:
>
> Protocol 2
> Ciphers
> aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
> Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512
>
>
> After rebooting, I confirmed that FIPS mode is enabled by usingopenssl md5
> somefile (fails) andopenssl sha1 somefile (succeeds)Also:
>
> $ cat /proc/sys/crypto/fips_enabled
> 1
> Finally, knowing that FIPS is enabled, I attempted to connect to a remote
> SQL Server instance with a config that worked prior to enabling FIPS:[mybox
> ~]# tsql -S egServer80 -U myusername
> Password:
> locale is "en_US.UTF-8"
> locale charset is "UTF-8"
> using default charset "UTF-8"
> Error 20002 (severity 9):
> Adaptive Server connection failed
> There was a problem connecting to the server
> I checked the log files and find this:tsql: Libgcrypt warning: MD5 used -
> FIPS mode inactivatedEnabling debug in freetds yielded this additional
> error:14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS
> internal error.
>
> Additional Information:
> Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting
> sets things back to normal (I was able to tsql into my SQL Server instance
> again).
>
> I can reproduce the same libgcrypt/tsql error without enabling FIPS 140-2
> module in grub, by creating an empty file /etc/gcrypt/fips_enabled.
> Removing this file sets the system back to normal, and tsql works again.
>
> CentOS version 6.7
> libgcrypt version 1.4.5
> freetds version 0.91
> openssl version 1.0.1e
>
>
> Why (or how) is enabling FIPS in grub (or creating
> /etc/gcrypt/fips_enabled) causing
> `libgcrypt` to fail on this machine?
More information about the Ale
mailing list