Welcome! Log In Create A New Profile

Advanced

Re: FIPS support in nginx?

Maxim Dounin
July 09, 2019 05:12AM
Hello!

On Tue, Jul 09, 2019 at 02:09:47AM -0400, kirti maindargikar wrote:

> Hi, We are using 1.10.3 nginx in FIPS mode. As discussed above we already
> have FIPS enabled on RHEL and we have recompiled nginx with OpenSSL FIPS.
> However we still see that Nginx is using MD5 algorithms ( which is not
> allowed in FIPS mode ) when we use proxy_cache to cache pictures .
> Looks like nginx uses MD5 hash to create the name of the cached image file.

Yes, it does. It is, however, used for non-security purpose, and
this has nothing to do with FIPS.

[...]

> As nginx is using MD5 here, which is not supported in FIPS, we are getting
> openssl error
>
> "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5
> forbidden in FIPS mode!"

Upgrade to nginx 1.11.2 or later. Starting with this version,
nginx will use internal MD5 implementation for hashing cache keys,
so using RHEL with FIPS enabled won't cause errors.

Note well that nginx 1.10.3 is obsolete for more than two years
now, so you may want to upgrade anyway. Latest nginx version is
1.17.1, latest stable is 1.16.0.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

FIPS support in nginx?

tlemons June 14, 2019 02:26PM

Re: FIPS support in nginx?

Vladimir Homutov June 17, 2019 05:02AM

Re: FIPS support in nginx?

kirti maindargikar July 09, 2019 02:09AM

Re: FIPS support in nginx?

kirti maindargikar July 09, 2019 02:13AM

Re: FIPS support in nginx?

Maxim Dounin July 09, 2019 05:12AM

Re: FIPS support in nginx?

tlemons July 09, 2019 03:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 121
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready