Re: [HTCondor-users] condor and FIPS issue

[Zach Miller <zmiller@xxxxxxxxxxx>]

> -----Original Message-----
> From: HTCondor-users [mailto:htcondor-users-bounces@xxxxxxxxxxx] On Behalf
> Of ade kc
> Sent: Wednesday, July 06, 2016 2:03 PM
> To: HTCondor-Users Mail List <htcondor-users@xxxxxxxxxxx>
> Subject: Re: [HTCondor-users] condor and FIPS issue


[...]
 
> In condor MasterLog, here's what the stack dump log looks like
> 
> 
> 
> 
> Stack dump for process 14412 at timestamp 1467830633 (17 frames)
> /usr/lib64/condor/libcondor_utils_8_2_9.so(dprintf_dump_stack+0x12d)[0x7f69
> 70aad4dd]
> /usr/lib64/condor/libcondor_utils_8_2_9.so(_Z18linux_sig_coredumpi+0x40)[0x
> 7f6970c10a10]
> /lib64/libpthread.so.0(+0xf710)[0x7f696c7c2710]
> /lib64/libc.so.6(gsignal+0x35)[0x7f696c451625]
> /lib64/libc.so.6(abort+0x175)[0x7f696c452e05]
> /usr/lib64/libcrypto.so.10(+0x69f7f)[0x7f696dd3ef7f]
> /usr/lib64/libcrypto.so.10(MD5_Init+0x49)[0x7f696dd456e9]

I believe the problem here is that MD5 is not a FIPS approved algorithm, and therefore any application that depends on it is likely out of compliance.  It seems their solution is to dump core just to make sure you notice. :)

HTCondor currently does rely on the MD5 algorithm.  It's on my plate to add SHA256 support, but until then I'm afraid we will not be FIPS compliant.  (And there may be other issues as well, as FIPS compliance isn't something we have formally looked at.)


Cheers,
-zach