This is a tracker bug to document current or future potential issues with ThinLinc running on FIPS systems. Note that we do not have the intention of getting ThinLinc FIPS certified. Rather, we want most of ThinLinc to be usable on FIPS enforcing systems and keep track of things that don't work. The latest FIPS standard for cryptography modules is 140-3 [1, 2] and has four levels of increasing security (Levels 1-4). As it stands today, ThinLinc has some places where we use MD5 which is not accepted by FIPS (e.g. bug 8331). To pass FIPS Level 2, SHA-1 is not accepted which we still use in some places in such as tlwebaccess and tlwebadm. I tested a RHEL 9 system with FIPS enabled, but SHA-1 disabled: > update-crypto-policies --set FIPS:NO-SHA1 This did not seem to have an effect, as I could use tlwebadm and tlwebaccess without any issue, SHA-1 is still usable: > hashlib.sha1(b"") [1] https://csrc.nist.gov/pubs/fips/140-3/final [2] https://www.encryptionconsulting.com/fips-140-3-security-requirements-for-cryptographic-modules/
Some bugs where we've already seen issues because of SHA-1 being deprecated: * bug 7535 * bug 7306 * bug 7933 * bug 7935 Note that FIPS mode was not involved in any of these, so that is not a requirement for all problems. FIPS mode might make things worse in the future, though.
