On Monday, October 29, 2018 at 3:38:09 AM UTC-7, Jun Omae wrote: > > On Sun, Oct 28, 2018 at 7:08 PM Dan <[email protected]> wrote: > > > > I just migrated a customer install to 1.2.3 on Centos 7.5 and when > trying to view diffs, I was seeing the following error: > > > > ValueError: error:060800A3:digital envelope > routines:EVP_DigestInit_ex:disabled for fips > > > > I ended up writing the following patch to resolve the issue: > > > > --- ./web/api.py.orig 2018-10-18 07:52:24.205812859 -0700 > > +++ ./web/api.py 2018-10-27 17:18:17.864423747 -0700 > > @@ -21,2 +21,3 @@ > > from datetime import datetime > > +import hashlib > > from hashlib import md5 > > @@ -24,2 +25,3 @@ > > import mimetypes > > +import inspect > > import os > > @@ -638,3 +640,10 @@ > > if isinstance(extra, list): > > - m = md5() > > + try: > > + m = md5() > > + except ValueError as e: > > + if 'usedforsecurity' in > inspect.getargspec(hashlib.new)[0]: > > + m = md5(usedforsecurity=False) > > + else: > > + raise e > > + > > for elt in extra: > > > > > > Changing the hash may be more desirable, but this was the Minimum Viable > Product. > > > > Has anyone else run into this? If so, how was it resolved? > > The usedforsecurity parameter is supported only in RHEL/CentOS 6,7. > The issue cannot be resolved on Ubuntu 1604. > > The md5 is used for generating ETag header and whether the page > content is cached. If not cached, the content is just rendered and > sent to the client. > > We could use sha1 rather than md5 because it is not needed to keep the > value between Trac versions. However, md5 is used in also > trac/web/auth.py to implement HTTP digest authentication and cannot be > removed. Therefore, HTTP digest authentication cannot be used with > FIPS 140-2 environment. > > If you don't need FIPS 140-2, try to disable FIPS 140-2. > > > diff --git a/trac/web/api.py b/trac/web/api.py > index f98d1a93d..b93f4af36 100644 > --- a/trac/web/api.py > +++ b/trac/web/api.py > @@ -19,7 +19,7 @@ from BaseHTTPServer import BaseHTTPRequestHandler > from Cookie import CookieError, BaseCookie, SimpleCookie > import cgi > from datetime import datetime > -from hashlib import md5 > +from hashlib import sha1 > import new > import mimetypes > import os > @@ -636,7 +636,7 @@ class Request(object): > so that consecutive requests can be cached. > """ > if isinstance(extra, list): > - m = md5() > + m = sha1() > for elt in extra: > m.update(repr(elt)) > extra = m.hexdigest() >
Created a ticket for your proposed change: https://trac.edgewall.org/ticket/13103 - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
