We use MD5 as a choice of file hashing. The problem is, that with FIPS enabled, the low-level routine doesn’t just refuse, but it even calls OpenSSL’s abort function, terminating the program with prejudice. The EVP routine is more reasonable,
simply refusing to provide MD5. But as mentioned, I am not asking for MD5 as a cryptographic algorithm, but as a file hash. OpenSSL does not provide a way to differentiate that, though. It seems to me that it would be better if OpenSSL refused at a higher level such as when asking for an HMAC or TLS suite. If I want MD5 for digesting a file, it would be nice if OpenSSL didn’t refuse it. Are there any workarounds to this, other than disabling FIPS or rolling my own? |