Public bug reported:
After enabling fips/fips-updates it is impossible to print anymore.
Requesting a print results in the following message in the cups logs:
`ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is
not enabled was negotiated.`
I have came up with a small reproducer:
```
pro attach # to be able to enable FIPS mode
pro enable fips-updates
reboot # to boot the fips kernel
# with FIPS mode enabled
/usr/lib/cups/filter/pdftopdf 555 $USER title 1 ""
/usr/share/cups/data/confidential.pdf
```
The output ends with:
ERROR: cfFilterPDFToPDF: Exception: gnutls: MD5 error: An algorithm that is not
enabled was negotiated.
ERROR: pdftopdf filter function failed.
I have tracked the problematic code to:
QPDF::compute_data_key in libqpdf/QPDF_encryption.cc
It unconditionally uses MD5 (that in turn asks gnutls for MD5) and in
FIPS mode it fails as MD5 is not fips-approved.
The bottomline is: it is not possible to print with fips-mode enabled.
** Affects: qpdf
Importance: Unknown
Status: Unknown
** Affects: qpdf (Ubuntu)
Importance: High
Status: New
** Affects: qpdf (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: qpdf (Ubuntu Noble)
Importance: Undecided
Status: New
** Affects: qpdf (Ubuntu Plucky)
Importance: Undecided
Status: New
** Affects: qpdf (Ubuntu Questing)
Importance: Undecided
Status: New
** Affects: qpdf (Ubuntu Resolute)
Importance: High
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2129676
Title:
QPDF tries to use MD5 in FIPS mode
To manage notifications about this bug go to:
https://bugs.launchpad.net/qpdf/+bug/2129676/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
