-
Notifications
You must be signed in to change notification settings - Fork 21.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rails is not compliant with FIPS 140-2 mode #31203
Comments
Can you also share an example failure when running in this mode. |
Sure, with The Foreman example, this results in:
At a lower level level:
|
Rails use MD5 mostly to generate cache keys but changing it in Rails won't be enough, e.g in the example you posted it's failing due to Passenger, not to Rails itself. |
Regardless of what rails is using MD5 for, it is not compatible with the FIPS 140-2 standard. This means that anybody who faces a NIST audit can't use any Ruby on Rails software that would trigger an MD5 hash (so pretty much no ROR period.) Also, It's not actually passenger that is throwing this error according to passenger. Passenger is spawning another application. I believe that application is The Foreman using ROR. They document this here: https://github.com/phusion/passenger/wiki/Debugging-application-startup-problems
Further reading: https://www.phusionpassenger.com/library/indepth/ruby/spawn_methods/ Or in this case, it's not slow, but crashing due to the fact that In short, whether or not it is passenger crashing in this instance is moot: Rails has some work to do to meet the FIPS 140-2 standard. |
Yes, we are using MD5 to generate the cache key for collections in ActiveRecord:
All the other usages of MD5 are in ActionPack (for cache keys and ETags) and ActiveStorage (for the integrity of uploads). I think that moving all the uses of MD5 to SHA256 isn't easy as swap the constant, making this change will blow all the existing cache entries during the upgrade of Rails so we should treat this carefully. |
No, someone who cares about Rails "meeting" the FIPS 140-2 standard has some work to do. I'm closing this as a feature request (which we don't use issues for). PRs welcome, but I don't see "use a different MD5 library" as a compelling option; if you want to pursue that route, I'd suggest pushing the change upstream into Digest itself (though it feels like a rather pointless workaround). |
For anyone else who struggles with FIPS and stumbles across this issue, the problem has been addressed in Rails 5.2, have a look at these two PRs - #31289 & #31651. Use the |
Steps to reproduce
Enable FIPS 140-2 mode as outlined at https://access.redhat.com/solutions/137833 by:
Then verify FIPS mode is enforced:
Now, with this enabled, rails applications may fail - particularly anything that uses Digest::MD5. For example: http://projects.theforeman.org/issues/3511#note-5
A few ways to mitigate this:
The text was updated successfully, but these errors were encountered: