FIPS support in nginx?
kirti maindargikar
nginx-forum at forum.nginx.org
Tue Jul 9 06:09:47 UTC 2019
Hi, We are using 1.10.3 nginx in FIPS mode. As discussed above we already
have FIPS enabled on RHEL and we have recompiled nginx with OpenSSL FIPS.
However we still see that Nginx is using MD5 algorithms ( which is not
allowed in FIPS mode ) when we use proxy_cache to cache pictures .
Looks like nginx uses MD5 hash to create the name of the cached image file.
As given in this link
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key
Syntax:
proxy_cache_path path[levels=levels][use_temp_path=on|off]
keys_zone=name:size[inactive=time][max_size=size][manager_files=number][manager_sleep=time][manager_threshold=time][loader_files=number][loader_sleep=time][loader_threshold=time][purger=on|off][purger_files=number][purger_sleep=time][purger_threshold=time];
"Sets the path and other parameters of a cache. Cache data are stored in
files. The file name in a cache is a result of applying the MD5 function to
the cache key. The levels parameter defines hierarchy levels of a cache:
from 1 to 3, each level accepts values 1 or 2. For example, in the following
configuration"
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;
file names in a cache will look like this:
/data/nginx/cache/c/29/b7f54b2df7773722d382f4809d65029c
As nginx is using MD5 here, which is not supported in FIPS, we are getting
openssl error
"md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5
forbidden in FIPS mode!"
Is there a way to configure nginx to use fips compliant algorithms like
SH256 instead of MD5 in proxy cache ?
Or does it need a code fix in nginx? If so which file/module may require a
code fix here ?
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,284539,284788#msg-284788
More information about the nginx
mailing list