Hi, We are using 1.10.3 nginx in FIPS mode. As discussed above we already have FIPS enabled on RHEL and we have recompiled nginx with OpenSSL FIPS.
However we still see that Nginx is using MD5 algorithms ( which is not allowed in FIPS mode ) when we use proxy_cache to cache pictures .
Looks like nginx uses MD5 hash to create the name of the cached image file.
As given in this link
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key
Syntax:
proxy_cache_path path[levels=levels][use_temp_path=on|off] keys_zone=name:size[inactive=time][max_size=size][manager_files=number][manager_sleep=time][manager_threshold=time][loader_files=number][loader_sleep=time][loader_threshold=time][purger=on|off][purger_files=number][purger_sleep=time][purger_threshold=time];
"Sets the path and other parameters of a cache. Cache data are stored in files. The file name in a cache is a result of applying the MD5 function to the cache key. The levels parameter defines hierarchy levels of a cache: from 1 to 3, each level accepts values 1 or 2. For example, in the following configuration"
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;
file names in a cache will look like this:
/data/nginx/cache/c/29/b7f54b2df7773722d382f4809d65029c
As nginx is using MD5 here, which is not supported in FIPS, we are getting openssl error
"md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!"
Is there a way to configure nginx to use fips compliant algorithms like SH256 instead of MD5 in proxy cache ?
Or does it need a code fix in nginx? If so which file/module may require a code fix here ?