Bug 8332 - SHA-1 is deprecated and might stop working
Summary: SHA-1 is deprecated and might stop working
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Other (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Bugzilla mail exporter
Depends on:
Reported: 2024-04-08 08:53 CEST by Adam Halim
Modified: 2024-04-09 13:39 CEST (History)
0 users

See Also:
Acceptance Criteria:


Description Adam Halim cendio 2024-04-08 08:53:31 CEST
This is a tracker bug to document current or future potential issues with
ThinLinc running on FIPS systems. Note that we do not have the intention of
getting ThinLinc FIPS certified. Rather, we want most of ThinLinc to be usable
on FIPS enforcing systems and keep track of things that don't work.

The latest FIPS standard for cryptography modules is 140-3 [1, 2] and has four
levels of increasing security (Levels 1-4). As it stands today, ThinLinc has
some places where we use MD5 which is not accepted by FIPS (e.g. bug 8331).

To pass FIPS Level 2, SHA-1 is not accepted which we still use in some places
in such as tlwebaccess and tlwebadm. I tested a RHEL 9 system with FIPS
enabled, but SHA-1 disabled:
> update-crypto-policies --set FIPS:NO-SHA1
This did not seem to have an effect, as I could use tlwebadm and tlwebaccess
without any issue, SHA-1 is still usable:
> hashlib.sha1(b"")

[1] https://csrc.nist.gov/pubs/fips/140-3/final
[2] https://www.encryptionconsulting.com/fips-140-3-security-requirements-for-cryptographic-modules/
Comment 1 Pierre Ossman cendio 2024-04-09 13:39:12 CEST
Some bugs where we've already seen issues because of SHA-1 being deprecated:

 * bug 7535
 * bug 7306
 * bug 7933
 * bug 7935

Note that FIPS mode was not involved in any of these, so that is not a requirement for all problems. FIPS mode might make things worse in the future, though.

Note You need to log in before you can comment on or make changes to this bug.