What were you trying to do that didn't work?
When in FIPS mode, connections that use NTLM authentication work. This is despite NTLM using MD5 for password hashing.
Please provide the package NVR for which bug is seen:
curl-7.76.1-29.el9_4.x86_64
How reproducible:
always
Steps to reproduce
- connect to a service that uses NTLM authentication in HTTP in FIPS mode
Expected results
the connection fails
Actual results
The connection works
The decision to ignore FIPS requirements should be left to the user. The preferred way to do it is through the use of crypto-policies. We already have `AD-SUPPORT`subpolicy used in FIPS mode for compatibility of kerberos with Active Directory.
At the same time, the use of non-compliant cryptography in curl is not documented: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#ref_list-of-rhel-applications-using-cryptography-that-is-not-compliant-with-fips-140-3_using-the-system-wide-cryptographic-policies