FIPS Support?

Sean · May 4, 2018, 3:04pm

Problem:
Foreman Web UI produces 500 error with FIPS enabled in OpenSSL.

I want to get this on your radar, any USGov users of Foreman will likely hit this if they are striving to run compliant systems. I’m not sure there’s a reasonable fix that the Foreman team can bring to bear, but until we get something, it seems I will have to file compliance deviation to get around this.

Expected outcome:
Foreman Web UI should work with FIPS enabled.

Foreman and Proxy versions:
1.17.0

Foreman and Proxy plugin versions:

Other relevant data:
This appears to be a ruby or ruby on rails related problem. Foreman 1.17 appears to be using ruby 2.4. There are some notes at bugs.ruby-lang.org on FIPS related issues, but I’ve not tracked down what versions of ruby the issues are tied to.

The error in /var/log/httpd/error_log is:
App 3113 stderr: md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!

Bryan_Kearney · May 4, 2018, 3:46pm

@sean we are working through some of the issues now and over hte next months of so. Would you be willing to test out stuff from @iNecas and @Anurag as the become available?

Dmitri_Dolguikh · May 4, 2018, 4:47pm

Please see http://projects.theforeman.org/issues/3511 for the list of all currently known fips-related issues.

Sean · May 4, 2018, 5:18pm

I’m happy to help!

Sean · May 4, 2018, 5:23pm

Thanks for the list to track the FIPS work. I will have to setup another system and try to dig deeper into what function was causing the issue, admittedly when I enabled FIPS, I didn’t think much about the impact and after the bit of research I did, I reverted to a pre-fips snapshot of the VM and have since moved on. I can say that right this error came up immediately after rebooting the system after enabling fips.

iNecas · May 11, 2018, 7:47pm

For most of the known issues, there are already patches available upstream. However, many times, this patches are released in dependencies. Therefore I’ve put together a bash script to apply known patches [1] (tested with nightly installed on centos).

It also adds some workaround to log MD5 usages and use SHA1, instead of crashing the process, which is the default FIPS behaviour.

What would help would be applying those patches and while using the system (not recommending doing so directly in production before you’re sure it works well in non-production setup), and watch for ‘FIPS’ messages in the logs or other unexpected behaviour, that works in non-FIPS environment

[1] https://gist.github.com/iNecas/8cd95a07ce1700068307020e2beb0441