-
-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Replace MD5 with SHA256+ #848
Comments
Facing the same issue when trying to run the application on RHEL 8 with FIPS enabled. Since FIPS does not allow non-FIPS digest algorithms like MD5, this has caused some challenges. Cannot disable FIPS as security concern
@matt-domsch-sp, I noticed that you mentioned a monkey-patched version of create_digest. Could you please share more details on how you managed to handle the old transactions that used MD5 digests? Any guidance or examples would be greatly appreciated. Thanks in advance |
In my case we made the transition while the application was otherwise naturally idle, and did not attempt to solve for both algorithms being present simultaneously. I recognize that may not be possible for all users of this library. |
Is your feature request related to a problem? Please describe.
sidekiq-unique-jobs/lib/sidekiq_unique_jobs/lock_digest.rb
Line 54 in bdca185
Describe the solution you'd like
Replace use of MD5 with a FIPS 140-2 or -3 permitted algorithm, such as in the SHA2 or SHA3 family.
This does raise the question of forward compatibility - upgrading a system previously using MD5 digests to a system using a SHA2+ digest, with transactions in flight. This may call for a major version bump, and an operational requirement to drain all previous unique job records. I'm open to a less invasive solution that doesn't involve the use of MD5 except perhaps in a brief transition period.
Describe alternatives you've considered
Disabling FIPS mode is not an option for my use case.
Re-enabling MD5 while in FIPS mode invalidates any FIPS certification.
We intend to monkey-patch lock_digest.rb create_digest() effectively as follows:
Additional context
Failures at runtime when FIPS mode is enabled on a RHEL 9.4 Universal Base Image OS with FIPS mode enabled look like:
The text was updated successfully, but these errors were encountered: