-
-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace MD5 with SHA256+ #848
Comments
Facing the same issue when trying to run the application on RHEL 8 with FIPS enabled. Since FIPS does not allow non-FIPS digest algorithms like MD5, this has caused some challenges. Cannot disable FIPS as security concern
@matt-domsch-sp, I noticed that you mentioned a monkey-patched version of create_digest. Could you please share more details on how you managed to handle the old transactions that used MD5 digests? Any guidance or examples would be greatly appreciated. Thanks in advance |
In my case we made the transition while the application was otherwise naturally idle, and did not attempt to solve for both algorithms being present simultaneously. I recognize that may not be possible for all users of this library. |
Is your feature request related to a problem? Please describe.
sidekiq-unique-jobs/lib/sidekiq_unique_jobs/lock_digest.rb
Line 54 in bdca185
Describe the solution you'd like
Replace use of MD5 with a FIPS 140-2 or -3 permitted algorithm, such as in the SHA2 or SHA3 family.
This does raise the question of forward compatibility - upgrading a system previously using MD5 digests to a system using a SHA2+ digest, with transactions in flight. This may call for a major version bump, and an operational requirement to drain all previous unique job records. I'm open to a less invasive solution that doesn't involve the use of MD5 except perhaps in a brief transition period.
Describe alternatives you've considered
Disabling FIPS mode is not an option for my use case.
Re-enabling MD5 while in FIPS mode invalidates any FIPS certification.
We intend to monkey-patch lock_digest.rb create_digest() effectively as follows:
Additional context
Failures at runtime when FIPS mode is enabled on a RHEL 9.4 Universal Base Image OS with FIPS mode enabled look like:
The text was updated successfully, but these errors were encountered: