Bug 836178 - Yum does not work with FIPS 140-2 enabled
Yum does not work with FIPS 140-2 enabled
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: yum (Show other bugs)
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: James Antill
BaseOS QE Security Team
Depends On:
Blocks: BaseOS-FIPS-Tracker 871775
  Show dependency treegraph
Reported: 2012-06-28 05:41 EDT by Jan Kaluža
Modified: 2014-01-21 01:25 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 871775 (view as bug list)
Last Closed: 2012-06-29 14:21:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Kaluža 2012-06-28 05:41:30 EDT
Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enable FIPS 140-2
2. run "yum install htop"
Actual results:
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored

Expected results:
Installation works

Additional info:
It's caused by the usage of md5 in the code in following file:
File "/usr/lib/python2.4/site-packages/yum/repoMDObject.py", line 89, in __init__

 infile = AutoFileChecksums(infile, ['md5', 'sha1', 'sha256'],

But 'md5' should be removed from that line (as it is newer yum versions).
Comment 1 RHEL Product and Program Management 2012-06-28 09:39:42 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 2 James Antill 2012-06-29 14:21:15 EDT
 On RHEL-5 rpm uses md5 to check packages, so doing the above is useless. You can't use yum/rpm on RHEL-5 without md5.
Comment 3 Jan Kaluža 2012-07-02 00:16:53 EDT
So just to clarify it, yum should not work on RHEL-5 when FIPS 140-2 mode [1] is enabled?

[1] http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1320.pdf
Comment 4 Steve Grubb 2012-07-05 12:05:52 EDT
Yum should output a helpful message to the user if it can't work in FIPS mode. They shouldn't have to guess why its not working.

Note You need to log in before you can comment on or make changes to this bug.