<div dir="ltr"><div>I noticed a difference in output of <font face="monospace, monospace">openssl ciphers -v 'HIGH:MEDIUM:!ADH'</font> between the working box, and the one generating libgcrypt warnings.</div><div><br></div><div>The latter shows the following ciphers in use:</div><div><pre><code>DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
KRB5-IDEA-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=MD5
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5</code></pre><pre><code><div style="white-space:normal"><span style="font-family:arial,sans-serif">The same version of openssl is used on both systems (</span><font face="monospace, monospace">OpenSSL 1.0.1e-fips 11 Feb 2013</font><font face="arial, sans-serif">). I am not seeing how to configure openssl to not use MD5 by default. This may or may not fix the libgcrypt issue, but thought it is worth investigating. <br><br>The openssl package is from CentOS (same as the second machine that does not have the libgcrypt FIPS warnings). Is it possible to change openssl's global config? I see where to change ssh and httpd's configs, but those aren't affecting what appears with </font><font face="monospace, monospace">openssl ciphers -v 'HIGH:MEDIUM:!ADH'.</font></div><div style="white-space:normal"><span style="font-family:arial,sans-serif"><br></span></div><div style="white-space:normal"><span style="font-family:arial,sans-serif"> </span></div><div style="font-family:arial,sans-serif;white-space:normal"><br></div><div style="font-family:arial,sans-serif;white-space:normal"></div></code></pre></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 13, 2015 at 4:54 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">You can run strace on the tsql process and see where the md5 bits are being found and delete the keys found.</p>
<p dir="ltr">Is it possible that the far side of the tsql connection is using md5 based on prior connections before fips change?</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Aug 13, 2015 4:38 PM, "Adrya Stembridge" <<a href="mailto:adrya.stembridge@gmail.com" target="_blank">adrya.stembridge@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">ls -ltR /etc/pki/ reveals no newly created files prior to enabling FIPS. <br><div><br></div><div>There are a few package differences, but for things like openmanage and some additional tools needed on the production side. libgcrypt and freetds (contains tsql) are identical. <br><br>Last night I removed/reinstalled freetds with no success (the old conf file was moved out of the way). </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 13, 2015 at 2:36 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div>OK. Time to run rpm -qa on both dev and new and diff the list. Something is missing or diff version on new system.</div><div><br></div><div>Hmm. So the pre-fips connection with tsql worked. That implies it was using md5. Converting the system to fips compliant didn't change the tsql config to use sha1 keys so it still uses (tries) md5. </div><div><br></div><div>Delete the old md5 keys for tsql or remove the package entirely and reinstall (after renaming out the config as conf.old). Do you see keys with creation dates prior to FIPS in /etc/pki?</div><div><div><div><br></div><div>On Thu, 2015-08-13 at 14:22 -0400, Adrya Stembridge wrote:</div><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Aug 13, 2015 at 12:25 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br><blockquote type="cite"><span style="font-size:12.8000001907349px">The rhel instructions look like the system keys will default to weaker non-FIPS unless fips=1 is a kernel param at </span>at system installation. So <b>converting an existing system won't work</b>. So weak keys with libgcrypt will call for fallback to non-fips but then fails since it's a denied operations mode.<br></blockquote><div><br></div><div>I went through the same steps of activating FIPS on my dev instance, and do not have the libgcrypt error, and am able to tsql to my SQL Server machine. Confirmed FIPS is active and working using the steps written in my initial post to the list. <br><br><br></div></div></div></div>
</blockquote></div></div><span><font color="#888888"><div><span><pre>--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
<a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a>
</pre></span></div></font></span></div></blockquote></div><br></div>
</blockquote></div>
</div></div></blockquote></div><br></div>