Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

fails when box is in FIPS mode #882

Closed
davidkarlsen opened this issue Jan 27, 2021 · 8 comments
Closed

fails when box is in FIPS mode #882

davidkarlsen opened this issue Jan 27, 2021 · 8 comments

Comments

@davidkarlsen
Copy link 

anchore-engine-anchore-engine-catalog-7b9b766788-sbcjg anchore-engine-catalog [service:catalog] 2021-01-27 17:19:27+0000 [-] [Thread-729] [anchore_engine.clients.services.internal/dispatch()] [ERROR] Failed client call to service simplequeue for url: http://anchore-engine-anchore-engine-simplequeue:8083/v1/queues/watcher_tasks/is_inqueue. Response: {'httpcode': 500, 'anchore_error_raw': 'b\'"[digital envelope routines: EVP_DigestInit_ex] disabled for FIPS"\\n\'', 'anchore_error_json': '[digital envelope routines: EVP_DigestInit_ex] disabled for FIPS'}

See similar issue and how to avoid it: s3tools/s3cmd#1005

chart version:

helm list
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
anchore-engine  anchore         1               2021-01-27 17:07:11.379189889 +0000 UTC deployed        anchore-engine-1.11.5   0.9.0
@zhill
Copy link
Member

zhill commented Jan 28, 2021

thanks @davidkarlsen , the pointer to a solution is appreciated. we just ran into this ourselves as well so we'll update here.

@davidkarlsen
Copy link
Author

@zhill any idea which release it will go into?

@davidkarlsen davidkarlsen changed the title fails when box is in FIPS mode [anchore] fails when box is in FIPS mode Feb 2, 2021
@davidkarlsen davidkarlsen changed the title [anchore] fails when box is in FIPS mode ails when box is in FIPS mode Feb 2, 2021
@davidkarlsen davidkarlsen changed the title ails when box is in FIPS mode fails when box is in FIPS mode Feb 2, 2021
@davidkarlsen
Copy link
Author

bump

@davidkarlsen
Copy link
Author

psycopg/psycopg2#1170

zhill added a commit to zhill/anchore-engine that referenced this issue Apr 23, 2021
@zhill
Adds hashing and build changes for FIPs support. Fixes anchore#882
5fe5cb0 
* Adds usedforsecurity=false for all hashlib invocations for fips support
* Switch from hashlib.md5 to hashlib.new("md5",...) for MacOS and linux support of usedforsecurity=False option
* Switch to use psycopg2 instead of psycopg2-binary for FIPs compatibility

MacOS users will need to install postgres and openssl (brew install postgres openssl) and
setup LIBRARY_PATH and DYLD_LIBRARY_PATH to point to the openssl lib dir
in order for the install of psycopg2 to work from source instead of
using psycopg2-binary.

Signed-off-by: Zach Hill <[email protected]>
@zhill zhill mentioned this issue Apr 23, 2021
Closed
zhill added a commit to zhill/anchore-engine that referenced this issue Apr 23, 2021
@zhill
Adds hashing and build changes for FIPs support. Fixes anchore#882
c92b555 
* Adds usedforsecurity=false for all hashlib invocations for fips support
* Switch from hashlib.md5 to hashlib.new("md5",...) for MacOS and linux support of usedforsecurity=False option
* Switch to use psycopg2 instead of psycopg2-binary for FIPs compatibility

MacOS users will need to install postgres and openssl (brew install postgres openssl) and
setup LIBRARY_PATH and DYLD_LIBRARY_PATH to point to the openssl lib dir
in order for the install of psycopg2 to work from source instead of
using psycopg2-binary.

Signed-off-by: Zach Hill <[email protected]>
@zhill
Copy link
Member

zhill commented Apr 23, 2021

Hi @davidkarlsen I've got some changes in testing, in #985. If things look ok when we do more testing, then either 0.9.4 or the next minor release will have the fix.

zhill added a commit to zhill/anchore-engine that referenced this issue Apr 27, 2021
@zhill
Adds hashing and build changes for FIPs support. Fixes anchore#882
7f6b137 
* Adds usedforsecurity=false for all hashlib invocations for fips support
* Switch from hashlib.md5 to hashlib.new("md5",...) for MacOS and linux support of usedforsecurity=False option
* Switch to use psycopg2 instead of psycopg2-binary for FIPs compatibility

MacOS users will need to install postgres and openssl (brew install postgres openssl) and
setup LIBRARY_PATH and DYLD_LIBRARY_PATH to point to the openssl lib dir
in order for the install of psycopg2 to work from source instead of
using psycopg2-binary.

Signed-off-by: Zach Hill <[email protected]>
@zhill
Copy link
Member

zhill commented May 14, 2021

Have been testing the #985 fix and more updates are needed to handle SQLAlchemy (may need to monkey patch it). Will update here, but did not make 0.9.4. We are going to have to get FIPS compliant test infrastructure to ensure this is correct in CI, so may take more time than available for the next feature release as well. But, we are working on it and will continue updates as we make progress.

@ryphon
Copy link

ryphon commented Jun 29, 2021

Hey @zhill, just ran into basically this exact same issue on a RHEL7 installation. Any chance there's any updates on this since mid May?

zhill added a commit to zhill/anchore-engine that referenced this issue Aug 26, 2021
@zhill
Adds hashing and build changes for FIPs support. Fixes anchore#882
8fde30a 
* Adds usedforsecurity=false for all hashlib invocations for fips support
* Switch from hashlib.md5 to hashlib.new("md5",...) for MacOS and linux support of usedforsecurity=False option
* Switch to use psycopg2 instead of psycopg2-binary for FIPs compatibility

MacOS users will need to install postgres and openssl (brew install postgres openssl) and
setup LIBRARY_PATH and DYLD_LIBRARY_PATH to point to the openssl lib dir
in order for the install of psycopg2 to work from source instead of
using psycopg2-binary.

Signed-off-by: Zach Hill <[email protected]>
zhill added a commit that referenced this issue Aug 27, 2021
@zhill
Adds hashing and build changes for FIPs support. Fixes #882
7ca256f 
* Adds usedforsecurity=false for all hashlib invocations for fips support
* Switch from hashlib.md5 to hashlib.new("md5",...) for MacOS and linux support of usedforsecurity=False option
* Switch to use psycopg2 instead of psycopg2-binary for FIPs compatibility

MacOS users will need to install postgres and openssl (brew install postgres openssl) and
setup LIBRARY_PATH and DYLD_LIBRARY_PATH to point to the openssl lib dir
in order for the install of psycopg2 to work from source instead of
using psycopg2-binary.

Signed-off-by: Zach Hill <[email protected]>
@zhill zhill mentioned this issue Aug 27, 2021
Merged
@zhill
Copy link
Member

zhill commented Sep 4, 2021

Closed by #1193 and released in v0.10.2

@zhill zhill closed this as completed Sep 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidkarlsen @zhill @ryphon