Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32361

FIPS non-compliant use of cryptography in curl is undocumented

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-9.6
    • rhel-9.3.0.z
    • curl
    • None
    • None
    • Moderate
    • sst_cs_plumbers
    • ssg_core_services
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      When in FIPS mode, connections that use NTLM authentication work. This is despite NTLM using MD5 for password hashing.

      Please provide the package NVR for which bug is seen:

      curl-7.76.1-29.el9_4.x86_64

      How reproducible:

      always

      Steps to reproduce

      1. connect to a service that uses NTLM authentication in HTTP in FIPS mode

      Expected results

      the connection fails

      Actual results

      The connection works

      The decision to ignore FIPS requirements should be left to the user. The preferred way to do it is through the use of crypto-policies. We already have `AD-SUPPORT`subpolicy used in FIPS mode for compatibility of kerberos with Active Directory.

      At the same time, the use of non-compliant cryptography in curl is not documented: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#ref_list-of-rhel-applications-using-cryptography-that-is-not-compliant-with-fips-140-3_using-the-system-wide-cryptographic-policies

            jmigacz@redhat.com Jacek Migacz
            hkario@redhat.com Alicja Kario
            Jacek Migacz Jacek Migacz
            Daniel Rusek Daniel Rusek
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: