On Sun, Oct 28, 2018 at 7:08 PM Dan <[email protected]> wrote:
>
> I just migrated a customer install to 1.2.3 on Centos 7.5 and when trying to
> view diffs, I was seeing the following error:
>
> ValueError: error:060800A3:digital envelope
> routines:EVP_DigestInit_ex:disabled for fips
>
> I ended up writing the following patch to resolve the issue:
>
> --- ./web/api.py.orig 2018-10-18 07:52:24.205812859 -0700
> +++ ./web/api.py 2018-10-27 17:18:17.864423747 -0700
> @@ -21,2 +21,3 @@
> from datetime import datetime
> +import hashlib
> from hashlib import md5
> @@ -24,2 +25,3 @@
> import mimetypes
> +import inspect
> import os
> @@ -638,3 +640,10 @@
> if isinstance(extra, list):
> - m = md5()
> + try:
> + m = md5()
> + except ValueError as e:
> + if 'usedforsecurity' in inspect.getargspec(hashlib.new)[0]:
> + m = md5(usedforsecurity=False)
> + else:
> + raise e
> +
> for elt in extra:
>
>
> Changing the hash may be more desirable, but this was the Minimum Viable
> Product.
>
> Has anyone else run into this? If so, how was it resolved?
The usedforsecurity parameter is supported only in RHEL/CentOS 6,7.
The issue cannot be resolved on Ubuntu 1604.
The md5 is used for generating ETag header and whether the page
content is cached. If not cached, the content is just rendered and
sent to the client.
We could use sha1 rather than md5 because it is not needed to keep the
value between Trac versions. However, md5 is used in also
trac/web/auth.py to implement HTTP digest authentication and cannot be
removed. Therefore, HTTP digest authentication cannot be used with
FIPS 140-2 environment.
If you don't need FIPS 140-2, try to disable FIPS 140-2.
diff --git a/trac/web/api.py b/trac/web/api.py
index f98d1a93d..b93f4af36 100644
--- a/trac/web/api.py
+++ b/trac/web/api.py
@@ -19,7 +19,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler
from Cookie import CookieError, BaseCookie, SimpleCookie
import cgi
from datetime import datetime
-from hashlib import md5
+from hashlib import sha1
import new
import mimetypes
import os
@@ -636,7 +636,7 @@ class Request(object):
so that consecutive requests can be cached.
"""
if isinstance(extra, list):
- m = md5()
+ m = sha1()
for elt in extra:
m.update(repr(elt))
extra = m.hexdigest()
--
Jun Omae <[email protected]> (大前 潤)
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
