[ale] Libgcrypt warning: MD5 used - FIPS mode inactivated

Crawford Rainwater crawford.rainwater at linux-etc.com
Thu Aug 13 12:21:13 EDT 2015


(My apologies in advance for any delayed responses as I receive the ALE lists in Digest format.)

Adrya:

I had a similar issue, though using authenticated NTP services.  MD5 I believe is not a valid FIPS 140-2 method.  You would have to use another like SHA/SHA1 potentially.  This was documented in one of the RHEL6 NTP packages "man pages" for creating the NTP authentication key on the server side, though I do not recall the actual package or "man <command>" I used to see the big "FIPS 140-2" notation regarding MD5 is not approved.  I admit, seeing that notation was indeed finding the proverbial needle in a haystack as well.

HTH.

--- Crawford

The Linux ETC Company
10121 Yates Court
Westminster, CO 80031 USA
voice:  +1.303.604.2550
web:    http://www.linux-etc.com


----- ale-request at ale.org wrote:
>   30. Libgcrypt warning: MD5 used - FIPS mode inactivated
>       (Adrya Stembridge)
> ------------------------------
> 
> Message: 30
> Date: Thu, 13 Aug 2015 10:36:42 -0400
> From: Adrya Stembridge <adrya.stembridge at gmail.com>
> To: Atlanta Linux Enthusiasts <ale at ale.org>
> Subject: [ale] Libgcrypt warning: MD5 used - FIPS mode inactivated
> 
> I'm at my wits end with an oddball problem involving libgcrypt.   I
> activated the FIPS module on a CentOS 6.7 machine and am getting a
> libgcrypt warning when using certain resources (mail and tsql for example).
> 
> 
> *Steps to reproduce: *
> 
> Enable openSSH FIPS 140-2 module using these instructions
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html>
> .
> 
> 1) edit /etc/sysconfig/prelink and set PRELINKING=NO. Issue prelink -u -a
> at a prompt.
> 2) yum install dracut-fips
> 3) dracut -f
> 4) add "fips=1" and "boot=/dev/sda3" to kernel line of grub.conf. df /boot
> revealed the correct boot partion.
> 5) ensure /etc/ssh/sshd_config is configured with:
> 
> Protocol 2
> Ciphers
> aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
> Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512
> 
> 
> After rebooting, I confirmed that FIPS mode is enabled by usingopenssl md5
> somefile (fails) andopenssl sha1 somefile (succeeds)Also:
> 
> $ cat /proc/sys/crypto/fips_enabled
> 1
> Finally, knowing that FIPS is enabled, I attempted to connect to a remote
> SQL Server instance with a config that worked prior to enabling FIPS:[mybox
> ~]# tsql -S egServer80 -U myusername
> Password:
> locale is "en_US.UTF-8"
> locale charset is "UTF-8"
> using default charset "UTF-8"
> Error 20002 (severity 9):
>     Adaptive Server connection failed
> There was a problem connecting to the server
> I checked the log files and find this:tsql: Libgcrypt warning: MD5 used -
> FIPS mode inactivatedEnabling debug in freetds yielded this additional
> error:14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS
> internal error.
> 
> Additional Information:
> Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting
> sets things back to normal (I was able to tsql into my SQL Server instance
> again).
> 
> I can reproduce the same libgcrypt/tsql error without enabling FIPS 140-2
> module in grub, by creating an empty file /etc/gcrypt/fips_enabled.
> Removing this file sets the system back to normal, and tsql works again.
> 
> CentOS version 6.7
> libgcrypt version 1.4.5
> freetds version 0.91
> openssl version 1.0.1e
> 
> 
> Why (or how) is enabling FIPS in grub (or creating
> /etc/gcrypt/fips_enabled) causing
> `libgcrypt` to fail on this machine?


More information about the Ale mailing list