Using something other than MD5 in 3.0.19 - FIPS

[Alan DeKok]

On May 31, 2019, at 2:07 PM, Paul Pathiakis via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have to use CentOS in FIPS mode which disallows MD5 use.

  So you don't plan on using RADIUS then.

> What do I need to change to either encapsulate it in TLS on the client and server or what should I do to change the configuration to not advertise to CentOS 7 in FIPS mode that MD5 is being used?

  RADIUS can be sent over TLS.  But it still mandates the use of MD5.

> My understanding is that RADIUS uses MD5 by specification.  FIPS mode disallows MD5 usage as being too weak.
> radiusd -X is up and ready for connections but the basic radtest with user bob generates an MD5 usage error stating that MD5 utlization is not allowed in FIPS mode.

  a) allow MD5 and use RADIUS

  b) disallow MD5 and don't use RADIUS.

  Blanket security prohibitions aren't very useful in the real world.

  We've put source code changes into "master" (not v3) to over-ride FIPS mode.  i.e. the OS says "don't use MD5", but the application over-rides that with "yes, I really want to use MD5".

  Which makes FIPS mode sort of useless.  All it does is ensure that you don't *accidentally* use MD5.

  Those changes might be portable back to v3.  But it wouldn't be trivial.

  Alan DeKok.