2

We developed a web-app using Ruby on Rails as our front-end running on nginx. Recently, due to some security audits, our server was patched for FIPS 140-2 compliance, which is a government standard for crypto modules. They installed dracut-fips, modified grub.boot to add fips=1, and sshd_config to only allow FIPS compliant algorithms, basically disallowing MD5.

After this patching was made, I noticed that nginx was giving us a very generic error and we couldn't access our web-app. I notice in the nginx error logs:

App 19865 stderr: md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
2016/04/06 13:48:13 [error] 19193#0: *24 upstream prematurely closed connection while reading response header from upstream, client: XXX.XX.XX.X, server: localhost, request: "GET /XXX/YYY/ZZZ HTTP/1.1", upstream: "passenger:/tmp/passenger.1.0.19172/generation-0/request:", host: "XX.XX.XX.XX:8080"
[ 2016-04-06 13:48:15.0082 19176/7f2908497700 Pool2/Pool.h:777 ]: Process (pid=20439, group=/opt/www/ASDFASDF#default) no longer exists! Detaching it from the pool.

There is not much else in any of our application logs. I do notice in /var/log/messages:

Apr  6 13:43:49 HOSTNAME abrt[20213]: Saved core dump of pid 20062 (/usr/local/rvm/rubies/ruby-2.1.0/bin/ruby) to /var/spool/abrt/ccpp-2016-04-06-13:43:48-20062 (159068160 bytes)
Apr  6 13:43:49 HOSTNAME abrtd: Directory 'ccpp-2016-04-06-13:43:48-20062' creation detected
Apr  6 13:43:49 HOSTNAME abrtd: Executable '/usr/local/rvm/rubies/ruby-2.1.0/bin/ruby' doesn't belong to any package and ProcessUnpackaged is set to 'no'
Apr  6 13:43:49 HOSTNAME abrtd: 'post-create' on '/var/spool/abrt/ccpp-2016-04-06-13:43:48-20062' exited with 1
Apr  6 13:43:49 HOSTNAME abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2016-04-06-13:43:48-20062'

We're using:

  • RHEL 6.5
  • Ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-linux]
  • Rails 4.0.3
  • nginx version: nginx/1.4.4
  • RVM

I searched our codebase for "Digest::MD5" but can't find it anywhere. I'm wondering if it is a Gem that is causing this or simply a flag that we can set to not use MD5?

Evan Chin
  • 21
  • 3

2 Answers2

0

The issue may be in Rails. Rails uses Digest::MD5 in several places and not compliant with the FIPS 140-2 standard.

James Shewey
  • 260
  • 2
  • 19
-1

According to this bugzilla this will work in versions of Ruby >= 2.2

Woot4Moo
  • 23,987
  • 16
  • 94
  • 151
  • 1
    So I created a VM to try this out - installed RHEL 6.5, ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-linux], Rails 4.2.6, no nginx (spinning up rails server locally instead). I put the system into FIPS mode and confirmed with trying to do a digest with MD5 as well as checking /proc/sys/crypto/fips_enabled. After scaffolding a new rails project, it still gives me the same error. – Evan Chin Apr 11 '16 at 18:11
  • This patch just makes ruby no longer core dump. It does not make MD5 work in ruby. I tested in Ruby 2.4 with CentOS 7, and this message is still thrown. – James Shewey Nov 22 '17 at 17:38