FIPS support in nginx?
mdounin at mdounin.ru
Tue Jul 9 09:10:00 UTC 2019
On Tue, Jul 09, 2019 at 02:09:47AM -0400, kirti maindargikar wrote:
> Hi, We are using 1.10.3 nginx in FIPS mode. As discussed above we already
> have FIPS enabled on RHEL and we have recompiled nginx with OpenSSL FIPS.
> However we still see that Nginx is using MD5 algorithms ( which is not
> allowed in FIPS mode ) when we use proxy_cache to cache pictures .
> Looks like nginx uses MD5 hash to create the name of the cached image file.
Yes, it does. It is, however, used for non-security purpose, and
this has nothing to do with FIPS.
> As nginx is using MD5 here, which is not supported in FIPS, we are getting
> openssl error
> "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5
> forbidden in FIPS mode!"
Upgrade to nginx 1.11.2 or later. Starting with this version,
nginx will use internal MD5 implementation for hashing cache keys,
so using RHEL with FIPS enabled won't cause errors.
Note well that nginx 1.10.3 is obsolete for more than two years
now, so you may want to upgrade anyway. Latest nginx version is
1.17.1, latest stable is 1.16.0.
More information about the nginx