What steps will reproduce the problem?
1.Install prosody version 0.11 on a linux machine with selinux and openssl 1.0.2 with fips enabled in grub
2.Configure certificate/cipher settings in the prosody.cfg.lua
3.Have a user create a room with an XMPP client and have another user attempt to join the room.
What is the expected output?
The two users will be able to join the room and exchange messages directly.
What do you see instead?
--- Started Prosody XMPP (Jabber) server.
--- prosody.service: main process exited, code=killed, status=6/ABRT
What version of the product are you using? On what operating system?
Prosody version 0.11 on Red Hat Linux 7
Please provide any additional information below.
There are no error messages logged before prosody silently crashes.
If the fips module is not enabled in the boot options of the operating system the chatroom can be created and joined by the two clients.
Zash
on
Debugged in the chat room and seems to be a call to md5() in MUC where it forwards iq stanzas trough the room. OpenSSL apparently aborts on use of this in FIPS mode.
What steps will reproduce the problem? 1.Install prosody version 0.11 on a linux machine with selinux and openssl 1.0.2 with fips enabled in grub 2.Configure certificate/cipher settings in the prosody.cfg.lua 3.Have a user create a room with an XMPP client and have another user attempt to join the room. What is the expected output? The two users will be able to join the room and exchange messages directly. What do you see instead? --- Started Prosody XMPP (Jabber) server. --- prosody.service: main process exited, code=killed, status=6/ABRT What version of the product are you using? On what operating system? Prosody version 0.11 on Red Hat Linux 7 Please provide any additional information below. There are no error messages logged before prosody silently crashes. If the fips module is not enabled in the boot options of the operating system the chatroom can be created and joined by the two clients.
Debugged in the chat room and seems to be a call to md5() in MUC where it forwards iq stanzas trough the room. OpenSSL apparently aborts on use of this in FIPS mode.
ChangesHiddenPriority-HighSecurityPriority-MediumThe FIPS mode in RHEL 7 (Red Hat Enterprise Linux 7, not Red Hat Linux 7, which also existed 15+ years ago) enforces at least FIPS 140-2. See e.g. https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/140sp/140sp2355.pdf for a brief summary regarding MD5.
Have patch replacing MD5 usage with truncated HMAC-SHA256
ChangesFixed in https://hg.prosody.im/trunk/rev/83bec90a352c (depends on the parent commit)
Changes