[EXTERNAL] MD5 and FIPS
Hubert Kario
hkario at redhat.com
Thu Feb 2 11:53:28 UTC 2023
On Thursday, 2 February 2023 01:45:00 CET, Sands, Daniel via openssl-users
wrote:
>
>> -----Original Message-----
>> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Dr
>> Paul Dale
>> Sent: Wednesday, February 1, 2023 2:33 PM
>> To: openssl-users at openssl.org
>> Subject: [EXTERNAL] Re: MD5 and FIPS
>>
>> If you are using OpenSSL 1.0.2 and the old FOM, you're out of luck.
>>
>> If you are using OpenSSL 3.0 with the FIPS provider, you can
>> still access MD5 by
>> loading appropriate providers and specifying a property query. See the
>> migration or FIPS guides.
>
> This sounds like an acceptable workaround. So if I load the
> legacy provider, then request MD5 (or SHA1) explicitly through
> that provider, it should provide a working context?
For some old FIPS modules you can also re-enable the md5 hash by using
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
Looking how Python handles the usedforsecurity keyword argument in hashlib
module is a usually a good idea.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
More information about the openssl-users
mailing list