On hosts configured for compliance with U.S. Federal Information Processing Standard (FIPS) 140-2 <http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf>, like those in some banks and, yes, the U.S. Department of Defense, cryptographic modules (such as OpenSSL, which underlies hashlib) are not allowed to calculate MD5 digests, because MD5 is no longer a FIPS Approved digest algorithm.
I know no one is trying here to lean on MD5 for security, but the standard says nothing about the reason why you're using MD5: just that you can't. No one expects a digest algorithm to fail, and Python 2.x may not have been fixed to check for that before being frozen <https://bugzilla.redhat.com/show_bug.cgi?id=746118#c3>, so if you run an MD5 checksum on a FIPS-compliant system with an unpatched Python 2.x, the Python interpreter will segfault. (Ruby, too, had this problem and was itself only recently fixed, <http://bugs.ruby-lang.org/issues/4944>.) I have to configure hosts in accordance with FIPS 140-2, so the more places I can get rid of MD5, the less headaches I have. -- Jared Jennings, RHCE, Network Admin, SURVICE Engineering Co. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
