Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86786

Do not block HMAC-MD4/5 in FIPS mode [rhel-8.10.z]

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-8.10.z
    • rhel-8.10.z
    • krb5
    • krb5-1.18.2-32.el8_10
    • No
    • Important
    • ZStream
    • 3
    • rhel-idm-ipa
    • ssg_idm
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • 2025-Q2-Bravo-S2, 2025-Q2-Bravo-S3, 2025-Q2-Bravo-S4
    • Approved Blocker
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      To ensure RC4 HMAC-MD5 was not used in FIPS mode, access to HMAC-MD4/5 is not allowed in this mode. However, since we provide the [libdefaults]radius_md5_fips_override configuration parameter to allow using RADIUS regardless to the FIPS restrictions, we should allow HMAC-MD5 to be used too in this case, because it is required for the newly supported Message-Authenticator attribute. Having an exception for MD5 alone, but not for HMAC-MD5 does not make sense.

              jrische@redhat.com Julien Rische
              jrische@redhat.com Julien Rische
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: