This bug is a tracker for the FIPS-140 compliance in the Red Hat .NET Core packages. As of now, we've discussed internally with the following summary. .NET Core calls out to OpenSSL for all but the following crypto algorithms. - RSA-PSS - RSA-OEAP - IDEA Some work with Microsoft is needed here, as there has been discussions to move more implementations within the .NET framework.
Any update on this? The upstream issue [1] seems to also have gone silent, so let me know if there is anything needed from me to push this forward. [1] https://github.com/dotnet/corefx/issues/29417
.NET Core 2.2 has gone EOL. I am re-targeting the bug to the latest version, .NET Core 3.1.
(In reply to David Mulford from comment #0) > .NET Core calls out to OpenSSL for all but the following crypto algorithms. > > - RSA-PSS > - RSA-OEAP > - IDEA With recent versions of .NET: - It's my understanding that RSA-PSS and RSA-OEAP are only used on the fallback code paths, if OpenSSL is missing these features. These code paths shouldn't get executed on RHEL. - The IDEA implementation is a unit test case. It's not part of the .NET product itself. The only IDEA implementation that .NET applications can make use of is the OpenSSL-based one.
We have noticed that .NET allows using MD5 (but not HMAC-MD5) even in FIPS configuration: https://github.com/dotnet/runtime/pull/94934. This is .NET explicitly telling OpenSSL that it wants to use MD5 for a use-case that's not security relevant. But an application running on .NET can go ahead and use MD5 through .NET for something security relevant, violating the intent. In other words, .NET does make some non-FIPS compliant algorithms available to applications even in FIPS mode. It seems it is up to applications to not to use those algorithms in a security-relevant context in FIPS mode.
.NET 6 reached its End of Life in 2024: https://access.redhat.com/support/policy/updates/net-core