RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1287610 - yum message in output when FIPS is enabled
Summary: yum message in output when FIPS is enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: yum
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Michal Domonkos
QA Contact: Eva Mrakova
URL:
Whiteboard:
Depends On:
Blocks: 1420851 1465896 1466368
TreeView+ depends on / blocked
 
Reported: 2015-12-02 12:50 UTC by Pavel Studeník
Modified: 2021-06-10 11:03 UTC (History)
13 users (show)

Fixed In Version: yum-3.4.3-155.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 15:05:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 541974 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 802458 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Bugzilla 902357 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Product Errata RHBA-2018:0845 0 None None None 2018-04-10 15:07:10 UTC

Internal Links: 541974 802458 902357

Description Pavel Studeník 2015-12-02 12:50:08 UTC 
Description of problem:
I enabled FIPS on RHEL7.2 and when I used yum this mode, I received message on output. 

>> LC_ALL=C yum repolist --disablerepo=*
Checksum type 'md5' disabled
Loaded plugins: product-id, search-disabled-repos, subscription-manager
repolist: 0

Version-Release number of selected component (if applicable):
yum-3.4.3-132.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. enable FIPS
2. python -c "import yum"
Checksum type 'md5' disabled

Actual results:
on output: Checksum type 'md5' disabled

Expected results:
without this messages
Comment 4 yuefliu 2017-04-06 08:18:48 UTC 
The bug still exits on RHEL-7.4-20170330.n.1 with 'yum-3.4.3-154.el7.noarch' when run "yum" and "subscription-manager".
Comment 5 Lesley Kimmel 2017-04-21 13:31:20 UTC 
I don't know if this is a useful or new data point, but I just kickstarted a system using 'fips=1' from the get-go and did not encounter this issue. However, with systems built without fips mode and transitioned later it does occur.
Comment 7 Karel Srot 2017-07-18 07:02:54 UTC 
IMHO the message should be printed in debug mode only.
Comment 8 Brad Viviano 2017-08-03 11:22:15 UTC 
After upgrading to RHEL 7.4 with FIPS enabled I am now getting a nightly email from cron because of /etc/cron.daily/rhsmd on all of my RHEL 7.4 systems about:

Checksum type 'md5' disabled

This should be fixed in /usr/libexec/rhsmd or /etc/cron.daily/rhsmd should do something useful with the output, instead of me getting one message per system per day about this.
Comment 13 Michal Domonkos 2017-09-15 09:00:18 UTC 
I made a patch that removes the "Checksum type 'md5' disabled" message when in FIPS mode so that the user is not confused/bothered in normal yum operations that don't involve md5 (most common scenario).  However, if yum actually tries to access a repo using md5 hashes while in FIPS mode, it will now at least state the reason in the error message that normally appears when a just downloaded metadata file doesn't verify:

old message: "Error performing checksum"
new message: "Error performing checksum: md5 algorithm is not FIPS compliant"

Upstream PR:
https://github.com/rpm-software-management/yum/pull/51
Comment 14 Michal Domonkos 2017-09-15 09:11:22 UTC 
(In reply to Karel Srot from comment #7)
> IMHO the message should be printed in debug mode only.

This is actually not quite possible due to the fact that the message is printed during the misc.py module initialization, at which point logging hasn't been configured yet and we also haven't parsed the command line (to know we're in debug mode).  So I just removed the message for the FIPS case; logging it in debug mode wouldn't have any real benefits anyway (we do print an error if md5 is actually used, see comment 13).
Comment 15 Michal Domonkos 2017-09-15 09:16:07 UTC 
(In reply to Michal Domonkos from comment #13)
> However, if yum actually tries to access a repo using md5 hashes while in FIPS mode

s/using/which uses/
Comment 22 errata-xmlrpc 2018-04-10 15:05:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0845
Note You need to log in before you can comment on or make changes to this bug.