Suricata 6.X On CentOS 7 In FIPS Mode

Has anyone successfully fully installed Suricata 6.X (and gotten suricata-update to work) on a CentOS 7 server running in FIPS mode? I am getting an error with the md5 hash used to verify something, since md5 is disabled completely in FIPS mode.

I am using make install-full and get the following error:
4/3/2021 – 22:14:22 - – No sources configured, will use Emerging Threats Open
Traceback (most recent call last):
File “/usr/bin/suricata-update”, line 33, in
File “/usr/bin/…/lib/python2.7/site-packages/suricata/update/”, line 1299, in main
File “/usr/bin/…/lib/python2.7/site-packages/suricata/update/”, line 1140, in _main
files = load_sources(suricata_version)
File “/usr/bin/…/lib/python2.7/site-packages/suricata/update/”, line 927, in load_sources
source_files = Fetch().run(url)
File “/usr/bin/…/lib/python2.7/site-packages/suricata/update/”, line 213, in run
fetched = self.fetch(url)
File “/usr/bin/…/lib/python2.7/site-packages/suricata/update/”, line 159, in fetch
tmp_filename = self.get_tmp_filename(url)
File “/usr/bin/…/lib/python2.7/site-packages/suricata/update/”, line 150, in get_tmp_filename
url_hash = hashlib.md5(url.encode(“utf-8”)).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
make[1]: *** [install-rules] Error 1
make[1]: Leaving directory `/suricata-6.0.1’
make: *** [install-full] Error 2

MD5 is used for 2 things in Suricata update:

  • Its general practice for rule distributors to provide a URL with a .md5 extension that has the MD5 of the ruleset. This is used as quick check to see if the ruleset needs to be downloaded.
  • Internal file change tracking is done by hashing the file contents to md5 as its already used by the above, and its good enough/safe for this purpose.

The only other time the FIPS thing has come up, the person wasn’t too concerned and had a work-around so I didn’t look into any further, but perhaps its something we should look into.

Jason, if you want more information about anything, please let me know.
I am not really doing anything unusual, just a fairly standard install on CentOS 7, but with FIPS mode on (via grub). I don’t have all of the nitty gritty details about the OS config, but I can get them fairly easily. The configure went relatively smoothly, once I got all of the needed packages installed, and the make completed successfully, but the make install-full failed with the above error.
If there is anyway to bypass the need for md5, or use another method to validate the ruleset files, etc., that would be ideal.

Unfortunately not. The code will need to updated to use another mechanism for file change detection. It will also mean downloading the remote rulesets every time to check if they changed rather than relying on the checksum.

Interesting. Suricata 7 will have md5 hashing support for file extraction built in without requiring it in libraries and should work in FIPS mode. Does that present policy issues?

As long as it works in FIPS mode, it should pass muster policy-wise, since it isn’t something that can really be used outside of suricata-update.

Seeing a message in a different forum for a different product, I have discovered a workaround.
Edit /lib/python2.7/site-packages/suricata/update/ in three locations where hashlib.md5 is called. add ,usedforsecurity=False then the script appears to run correctly.

Example: hashlib.md5(url.encode(“utf-8”),usedforsecurity=False).hexdigest()

I would HIGHLY recommend making a backup copy of the py script prior to editing it, just in case…

That SEEMS to have fixed my issue. Thank you very much… this will allow us to continue down the path of moving Suricata to the latest version on our current server build.

Thanks. I’ll take a look at integrating this into the release.

:wave: Just adding in here that I also have this use case.

I’ve created a ticket for this issue: Feature #4479: Work on FIPS compliant CentOS releases. - Suricata-Update - Open Information Security Foundation