-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error installing packages when FIPS is enabled #2505
Comments
For anyone who wants to reproduce this - the magic commands you have to use to make libraries like
This is the backtrace of the command line mentioned in the ticket, after enabling FIPS-mode with
|
I tried taking a stab at this today - and unless I am missing something, there might not be an easy workaround anymore to get MD5 to work with OpenSSL. If true, I am not entirely sure what this means for us. We could add our own MD5 library. However, while that is a technical workaround, I am not sure if this might render the system no longer fips compliant - I am not sure there still is a caveout for using MD5 for non-security use in the current iteration of FIPS. If someone has any information on that, I would be curious. The second alternative - which might be preferable - would be to make sure that Zeek is able to run without requiring the use of MD5. |
I like this one. Are we losing anything by dropping it? |
Replacing MD5 in the IP address anonymization routines would be a breaking change for users that supply their own HMAC seeds for predictable outputs for the same inputs across restarts. I've never seen anonymization used this way, only ever in anonymizing the output of a PCAP for sharing, but it's worth knowing.
It's my understanding that it's still permitted to use MD5 for non-security applications in 140-3. The above example, though, would qualify as a security application, as it's used to protect identifiable information. |
Installing packages while FIPS is enabled can be addressed by using the Plugins that use |
I'm putting this on the radar again, for 7.0. It also strikes me as the right direction to strip MD5 functionality from Zeek in this setting. This doesn't look too daunting per se — MD5 isn't particularly entrenched in the code — but it certainly brings up other technical/maintainability/UX questions. |
+1 interest in FIPS compliance for Zeek. |
Turns out there's a quick way to reproduce on Fedora, since its OpenSSL supports toggling via an env var:
|
Host: RedHat Enterprise Linux 9
Zeek release: 5.0.2
OpenSSL version: 3.0.1
When you try to install af_packet package under a RHEL9 host with FIPS enabled returns the following error:
Testing against openssl framework confirms some type of problem when FIPS is enabled:
Disbling FIPS framework, all it is working ok.
The text was updated successfully, but these errors were encountered: