[ale] Libgcrypt warning: MD5 used - FIPS mode inactivated

Jim Kinney jim.kinney at gmail.com
Thu Aug 13 12:25:33 EDT 2015


Eowch! That really sounds like libgcrypt has a nasty bug that is failing to
use the appropriate encryption tools.

Or...

The rhel instructions look like the system keys will default to weaker
non-FIPS unless fips=1 is a kernel param at system installation. So
converting an existing system won't work. So weak keys with libgcrypt will
call for fallback to non-fips but then fails since it's a denied operations
mode.
I'm at my wits end with an oddball problem involving libgcrypt.   I
activated the FIPS module on a CentOS 6.7 machine and am getting a
libgcrypt warning when using certain resources (mail and tsql for example).


*Steps to reproduce: *

Enable openSSH FIPS 140-2 module using these instructions
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html>
.

1) edit /etc/sysconfig/prelink and set PRELINKING=NO. Issue prelink -u -a
at a prompt.
2) yum install dracut-fips
3) dracut -f
4) add "fips=1" and "boot=/dev/sda3" to kernel line of grub.conf. df /boot
revealed the correct boot partion.
5) ensure /etc/ssh/sshd_config is configured with:

Protocol 2
Ciphers
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512


After rebooting, I confirmed that FIPS mode is enabled by usingopenssl md5
somefile (fails) andopenssl sha1 somefile (succeeds)Also:

$ cat /proc/sys/crypto/fips_enabled
1
Finally, knowing that FIPS is enabled, I attempted to connect to a remote
SQL Server instance with a config that worked prior to enabling FIPS:[mybox
~]# tsql -S egServer80 -U myusername
Password:
locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
    Adaptive Server connection failed
There was a problem connecting to the server
I checked the log files and find this:tsql: Libgcrypt warning: MD5 used -
FIPS mode inactivatedEnabling debug in freetds yielded this additional
error:14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS
internal error.

Additional Information:
Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting
sets things back to normal (I was able to tsql into my SQL Server instance
again).

I can reproduce the same libgcrypt/tsql error without enabling FIPS 140-2
module in grub, by creating an empty file /etc/gcrypt/fips_enabled.
Removing this file sets the system back to normal, and tsql works again.

CentOS version 6.7
libgcrypt version 1.4.5
freetds version 0.91
openssl version 1.0.1e


Why (or how) is enabling FIPS in grub (or creating
/etc/gcrypt/fips_enabled) causing
`libgcrypt` to fail on this machine?



_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150813/bff9dcf8/attachment.html>


More information about the Ale mailing list