Red Hat Summit1.5. List of RHEL applications using cryptography that is not compliant with FIPS 140-3
To pass all relevant cryptographic certifications, such as FIPS 140-3, use libraries from the core cryptographic components set. These libraries, except for libgcrypt, also follow the RHEL system-wide cryptographic policies.
See the RHEL core cryptographic components Red Hat Knowledgebase article for information about the core cryptographic components, how they are selected, how they integrate with the operating system, how they support hardware security modules and smart cards, and how cryptographic certifications apply to them.
The following RHEL 10 applications use cryptography that is not compliant with FIPS 140-3:
- Bacula
- Implements the CRAM-MD5 authentication protocol.
- Cyrus SASL
- Uses the SCRAM-SHA-1 authentication method.
- Dovecot
- Uses SCRAM-SHA-1.
- Emacs
- Uses SCRAM-SHA-1.
- FreeRADIUS
- Uses MD5 and SHA-1 for authentication protocols.
- Ghostscript
- Custom cryptography implementation (MD5, RC4, SHA-2, AES) to encrypt and decrypt documents.
- GnuPG
-
The package uses the
libgcryptmodule, which is not validated. - GRUB2
-
Supports legacy firmware protocols requiring SHA-1 and includes the
libgcryptlibrary. - iPXE
- Implements TLS stack.
- Kerberos
- Preserves support for SHA-1 (interoperability with Windows).
- Lasso
-
The
lasso_wsse_username_token_derive_key()key derivation function (KDF) uses SHA-1. - libgcrypt
- The module is deprecated. It is no longer validated since RHEL 10.0.
- MariaDB, MariaDB Connector
-
The
mysql_native_passwordauthentication plugin uses SHA-1. - MySQL
-
mysql_native_passworduses SHA-1. - OpenIPMI
- The RAKP-HMAC-MD5 authentication method is not approved for FIPS usage and does not work in FIPS mode.
- Ovmf (UEFI firmware), Edk2, shim
- Full cryptographic stack (an embedded copy of the OpenSSL library).
- Perl
- Uses HMAC, HMAC-SHA1, HMAC-MD5, SHA-1, and SHA-224.
- Pidgin
- Implements DES and RC4 ciphers.
- Poppler
- Can save PDFs with signatures, passwords, and encryption based on non-allowed algorithms if they are present in the original PDF (for example, MD5, RC4, and SHA-1).
- PostgreSQL
- Implements Blowfish, DES, and MD5. A KDF uses SHA-1.
- QAT Engine
- Uses a mix of hardware and software implementation of cryptographic primitives (RSA, EC, DH, AES, and others).
- Ruby
- Provides insecure MD5 and SHA-1 library functions.
- Samba
- Preserves support for RC4 and DES (interoperability with Windows).
- Sequoia
- Uses the deprecated OpenSSL API, which does not work in FIPS mode.
- Syslinux
- Firmware passwords use SHA-1.
- SWTPM
- Explicitly disables FIPS mode in its OpenSSL usage.
- Unbound
- DNS specification requires that DNSSEC resolvers use a SHA-1-based algorithm in DNSKEY records for validation.
- Valgrind
- AES, SHA hashes.[1]
- zip
- Custom cryptography implementation (insecure PKWARE encryption algorithm) to encrypt and decrypt archives by using a password.
[1]
Re-implements in software hardware-offload operations, such as AES-NI or SHA-1 and SHA-2 on ARM.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}