Libgcrypt warning: MD5 used - FIPS mode inactivated

Adrya Stembridge adrya.stembridge at gmail.com
Tue Aug 18 16:45:10 CEST 2015 

I'm at my wits end with an odd problem involving libgcrypt and am hoping
the list can offer insight or assistance.

*In summary: *
I recently activated the FIPS module on a CentOS 6.7 machine and
immediately began seeing libgcrypt warnings when using certain resources
(http and tsql for example).   This only occurs with one system.  Another
machine with CentOS 6.7 using FIPS does not have the libgcrypt warnings.

What could be causing libgcrypt to use MD5 when FIPS is enabled?    Is it
possible to force libgcrypt to use SHA instead of MD5?


Details below...

*Steps to reproduce: *

Enable openSSH FIPS 140-2 module using these instructions
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html>
.

1) edit /etc/sysconfig/prelink and set PRELINKING=NO. Issue prelink -u -a
at a prompt.
2) yum install dracut-fips
3) dracut -f
4) add "fips=1" and "boot=/dev/sda3" to kernel line of grub.conf. df /boot
revealed the correct boot partion.
5) ensure /etc/ssh/sshd_config is configured with:

Protocol 2
Ciphers
aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Macs hmac-sha1,hmac-sha2-256,hmac-sha2-512


After rebooting, I confirmed that FIPS mode is enabled by usingopenssl md5
somefile (fails)andopenssl sha1 somefile (succeeds)Also:

$ cat /proc/sys/crypto/fips_enabled
1
Finally, knowing that FIPS is enabled, I attempted to connect to a remote
SQL Server instance with a config that worked prior to enabling FIPS:[mybox
~]# tsql -S egServer80 -U myusername
Password:
locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
    Adaptive Server connection failed
There was a problem connecting to the server
I checked the log files and find this:tsql: Libgcrypt warning: MD5 used -
FIPS mode inactivatedEnabling debug in freetds yielded this additional
error:14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS
internal error.

Additional Information:
Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting
sets things back to normal (I was able to tsql into my SQL Server instance
again).

I can reproduce the same libgcrypt/tsql error without enabling FIPS 140-2
module in grub, by creating an empty file/etc/gcrypt/fips_enabled. Removing
this file sets the system back to normal, and tsql works again.

CentOS version 6.7
libgcrypt version 1.4.5
freetds version 0.91
openssl version 1.0.1e

As before, a second CentOS 6.7 machine with FIPS enabled and an identical
freetds config connecting to the same external resource, does not have have
the libgcrypt warnings.


Many thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150818/413fc0e8/attachment.html>

More information about the Gcrypt-devel mailing list