On Thursday, 2 February 2023 01:45:00 CET, Sands, Daniel via openssl-users
wrote:
-----Original Message-----
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Dr
Paul Dale
Sent: Wednesday, February 1, 2023 2:33 PM
To: openssl-users@xxxxxxxxxxx
Subject: [EXTERNAL] Re: MD5 and FIPS
If you are using OpenSSL 1.0.2 and the old FOM, you're out of luck.
If you are using OpenSSL 3.0 with the FIPS provider, you can
still access MD5 by
loading appropriate providers and specifying a property query. See the
migration or FIPS guides.
This sounds like an acceptable workaround. So if I load the
legacy provider, then request MD5 (or SHA1) explicitly through
that provider, it should provide a working context?
For some old FIPS modules you can also re-enable the md5 hash by using
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
Looking how Python handles the usedforsecurity keyword argument in hashlib
module is a usually a good idea.
--
Regards,
Hubert Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
