Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Chef not honouring FIPS requirement #8009
https://github.com/chef/chef/blob/master/chef-config/lib/chef-config/config.rb#L1132 is not a proper FIPS fix. Ruby compiled with OpenSSL FIPS and
referenced this issue
Dec 3, 2018
that seems to date back to https://blog.chef.io/2016/03/16/fips-support-now-generally-available-in-chef-client-12-8/ at least to wit:
"A current exception for Chef is the use of MD5 hashes to uniquely identify files stored on the Chef Server. MD5 is used only to generate unique hash IDs for files, and is not used for any cryptographic purpose. Nevertheless, Chef is investigating the effort required to replace this implementation with a FIPS-compatible algorithm."
Oh @stevendanna i already did the archaeology. We do, and patch up so that it uses ruby's internal Digest::MD5 class. The current working theory is that some distros ship ruby built where that just points at openssl, so fips enabled openssl just barfs. It shouldn't affect omnibus builds though.