Bug 705097
Summary: | squid fails to start and core dumps with FIPS 140-2 mode enabled | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Matt Rogers <mrogers> | ||||
Component: | squid | Assignee: | Michal Luscon <mluscon> | ||||
Status: | CLOSED WONTFIX | QA Contact: | Hubert Kario <hkario> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 5.6 | CC: | christopher.balke.ctr, degts, ebenes, hkario, jskala, ovasik, prc, pwouters, rstclair, sgrubb | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 806800 806864 (view as bug list) | Environment: | |||||
Last Closed: | 2013-03-14 18:48:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 691449, 806800 | ||||||
Attachments: |
|
Description
Matt Rogers
2011-05-16 15:49:27 UTC
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. *** Bug 806800 has been marked as a duplicate of this bug. *** *** Bug 806864 has been marked as a duplicate of this bug. *** This does not happen with RHEL 6.3 beta and squid in fips mode. I'm going to investigate this further on rhel 5.6 The following patch fixes this issue. It's similar to how squid3 deals with md5 when there is no openssl code available and it provides a private md5 function that has the same api as openssl.. However, in this patch I only allow this private squidMD5 function to be used with the md5 hashes of the cache store key ids. So this leaves md5 banned for authentication (eg via basic auth helpers) and TLS, when running in fips mode. Created attachment 586241 [details]
patch to allow md5 for cache id objects in fips mode
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. Since the requested reproducer have not been provided, I am closing this bug as WORKSFORME. Not sure what squid links against, but in FIPS mode if a disallowed algorithm is requested, then the library will abort the process. So, its very possible that using MD5 in FIPS mode will abort squid. It is unclear to me what has happened now. I confirmed the issue and submitted a half a year ago, but I don't see an update suggesting the patch was merged in? So how can it be "WORKSFORSOME"? IMHO, the patch should be used to allow MD5 to be used for the cache object file names in FIPS mode. It prevents the crasher. The situation in rhel6 is the reverse. upstream switcehd to using custom md5 code, and so we had to go in and refix it back to old for at least the network authentication part. The cache file names using the private function is fine. Anyway - RHEL-5 is now in production phase 2 - so I doubt this will get in. But you are right, probably right resolution for this should be WONTFIX. Feel free to reopen, if you think this really should be changed in RHEL-5 (and few steps how to make working FIPS mode RHEL-5 station might be required - I think this was meant by reproducer) . |