[ale] Libgcrypt warning: MD5 used - FIPS mode inactivated
Adrya Stembridge
adrya.stembridge at gmail.com
Thu Aug 13 16:38:56 EDT 2015
ls -ltR /etc/pki/ reveals no newly created files prior to enabling FIPS.
There are a few package differences, but for things like openmanage and
some additional tools needed on the production side. libgcrypt and
freetds (contains tsql) are identical.
Last night I removed/reinstalled freetds with no success (the old conf file
was moved out of the way).
On Thu, Aug 13, 2015 at 2:36 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
> OK. Time to run rpm -qa on both dev and new and diff the list. Something
> is missing or diff version on new system.
>
> Hmm. So the pre-fips connection with tsql worked. That implies it was
> using md5. Converting the system to fips compliant didn't change the tsql
> config to use sha1 keys so it still uses (tries) md5.
>
> Delete the old md5 keys for tsql or remove the package entirely and
> reinstall (after renaming out the config as conf.old). Do you see keys with
> creation dates prior to FIPS in /etc/pki?
>
> On Thu, 2015-08-13 at 14:22 -0400, Adrya Stembridge wrote:
>
> On Thu, Aug 13, 2015 at 12:25 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
> The rhel instructions look like the system keys will default to weaker
> non-FIPS unless fips=1 is a kernel param at at system installation. So *converting
> an existing system won't work*. So weak keys with libgcrypt will call for
> fallback to non-fips but then fails since it's a denied operations mode.
>
>
> I went through the same steps of activating FIPS on my dev instance, and
> do not have the libgcrypt error, and am able to tsql to my SQL Server
> machine. Confirmed FIPS is active and working using the steps written in
> my initial post to the list.
>
>
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his
> own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> http://heretothereideas.blogspot.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150813/e1aab208/attachment.html>
More information about the Ale
mailing list