3.6. List of RHEL applications using cryptography that is not compliant with FIPS 140-3
Red Hat recommends utilizing libraries from the core crypto components set, as they are guaranteed to pass all relevant crypto certifications, such as FIPS 140-3, and also follow the RHEL system-wide crypto policies.
See the RHEL core crypto components article for an overview of the core cryptographic components, the information about how are they selected, how are they integrated into the operating system, how do they support hardware security modules and smart cards, and how do cryptographic certifications apply to them.
| Application | Détails |
|---|---|
| Bacula | Implements the CRAM-MD5 authentication protocol. |
| Cyrus SASL | Uses the SCRAM-SHA-1 authentication method. |
| Dovecot | Uses SCRAM-SHA-1. |
| Emacs | Uses SCRAM-SHA-1. |
| FreeRADIUS | Uses MD5 and SHA-1 for authentication protocols. |
| Ghostscript | Custom cryptography implementation (MD5, RC4, SHA-2, AES) to encrypt and decrypt documents. |
| GRUB2 |
Supports legacy firmware protocols requiring SHA-1 and includes the |
| ipxe | Implements TLS stack. |
| Kerberos | Preserves support for SHA-1 (interoperability with Windows). |
| lasso |
The |
| MariaDB, MariaDB Connector |
The |
| MySQL |
|
| OpenIPMI | The RAKP-HMAC-MD5 authentication method is not approved for FIPS usage and does not work in FIPS mode. |
| Ovmf (UEFI firmware), Edk2, shim | Full crypto stack (an embedded copy of the OpenSSL library). |
| perl-CPAN | Digest MD5 authentication. |
| perl-Digest-HMAC, perl-Digest-SHA | Uses HMAC, HMAC-SHA1, HMAC-MD5, SHA-1, SHA-224, and so on. |
| perl-Mail-DKIM | The Signer class uses the RSA-SHA1 algorithm by default. |
| PKCS #12 file processing (OpenSSL, GnuTLS, NSS, Firefox, Java) | All uses of PKCS #12 are not FIPS-compliant, because the Key Derivation Function (KDF) used for calculating the whole-file HMAC is not FIPS-approved. As such, PKCS #12 files are considered to be plain text for the purposes of FIPS compliance. For key-transport purposes, wrap PKCS #12 (.p12) files using a FIPS-approved encryption scheme. |
| Poppler | Can save PDFs with signatures, passwords, and encryption based on non-allowed algorithms if they are present in the original PDF (for example MD5, RC4, and SHA-1). |
| PostgreSQL | KDF uses SHA-1. |
| QAT Engine | Mixed hardware and software implementation of cryptographic primitives (RSA, EC, DH, AES, …) |
| Rubis | Provides insecure MD5 and SHA-1 library functions. |
| Samba | Preserves support for RC4 and DES (interoperability with Windows). |
| Syslinux | BIOS passwords use SHA-1. |
| Unbound | DNS specification requires that DNSSEC resolvers use a SHA-1-based algorithm in DNSKEY records for validation. |
| Valgrind | AES, SHA hashes.[a] |
[a]
Re-implements in software hardware-offload operations, such as AES-NI or SHA-1 and SHA-2 on ARM.
| |
