<p dir="ltr">Eowch! That really sounds like libgcrypt has a nasty bug that is failing to use the appropriate encryption tools.</p>
<p dir="ltr">Or...</p>
<p dir="ltr">The rhel instructions look like the system keys will default to weaker non-FIPS unless fips=1 is a kernel param at system installation. So converting an existing system won't work. So weak keys with libgcrypt will call for fallback to non-fips but then fails since it's a denied operations mode.</p>
<div class="gmail_quot<blockquote class=" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I'm at my wits end with an oddball problem involving libgcrypt. I activated the FIPS module on a CentOS 6.7 machine and am getting a libgcrypt warning when using certain resources (mail and tsql for example). <br></div><div><br></div><div><br></div><b>Steps to reproduce: </b><br><br>Enable openSSH FIPS 140-2 module using <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html" target="_blank">these instructions</a>.<br><br>1) edit /etc/sysconfig/prelink and set PRELINKING=NO. Issue prelink -u -a at a prompt.<br>2) yum install dracut-fips<br>3) dracut -f<br>4) add "fips=1" and "boot=/dev/sda3" to kernel line of grub.conf. df /boot revealed the correct boot partion.<br>5) ensure /etc/ssh/sshd_config is configured with:<br><dl><dd><code><br>Protocol 2<br>Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc<br>Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512</code></dd></dl><br><br><br>After rebooting, I confirmed that FIPS mode is enabled by using<dl><dd><code>openssl md5 somefile (fails)</code></dd></dl> and<dl><dd><code>openssl sha1 somefile (succeeds)</code></dd></dl>Also:<br><dl><dd><code><br>$ cat /proc/sys/crypto/fips_enabled<br>1</code></dd></dl><br>Finally,
knowing that FIPS is enabled, I attempted to connect to a remote SQL
Server instance with a config that worked prior to enabling FIPS:<dl><dd><code>[mybox ~]# tsql -S egServer80 -U myusername<br>Password:<br>locale is "en_US.UTF-8"<br>locale charset is "UTF-8"<br>using default charset "UTF-8"<br>Error 20002 (severity 9):<br> Adaptive Server connection failed<br>There was a problem connecting to the server</code></dd></dl><br>I checked the log files and find this:<dl><dd><code>tsql: Libgcrypt warning: MD5 used - FIPS mode inactivated</code></dd></dl>Enabling debug in freetds yielded this additional error:<dl><dd><code>14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS internal error.<br></code></dd></dl><br><span style="font-weight:bold">Additional Information: </span><br>Backing
out the FIPS module (removing fips=1 from grub.conf) and rebooting sets
things back to normal (I was able to tsql into my SQL Server instance
again).<br><br>I can reproduce the same libgcrypt/tsql error without
enabling FIPS 140-2 module in grub, by creating an empty file
<font face="monospace, monospace">/etc/gcrypt/fips_enabled</font>. Removing this file sets the system back to
normal, and tsql works again.<br><br>CentOS version 6.7<br>libgcrypt version 1.4.5<br>freetds version 0.91<br>openssl version 1.0.1e<br><br><br>Why (or how) is enabling FIPS in grub (or creating <span style="font-family:monospace,monospace">/etc/gcrypt/fips_enabled)</span> causing `libgcrypt` to fail on this machine?<br><div><br><br></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></div>