[Bro] Bro 2.5 and FIPS

Hosom, Stephen M hosom at battelle.org
Thu Dec 8 10:15:45 PST 2016

The problem is caused by the fact that Bro needs to process certs that make use of md5 and in order to do that it uses the portions of OpenSSL that handle md5...which have been disabled. As for the fix? I'm not actually sure. No matter how you swing it, you really do want to be able to use those portions of the library for network monitoring purposes. The only thing I can think of that might get you out of this is to link against an alternate version of OpenSSL that you use solely for Bro that disables FIPS mode... that way you have it enabled for most applications, but disabled for Bro. I didn't have long to look into how FIPS mode is set, but it looks like in your case it may have been a build time option. 

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Weasel, Gary W Jr CIV DISA RE (US)
Sent: Thursday, December 8, 2016 9:45 AM
To: 'bro at bro.org' <bro at bro.org>
Subject: [Bro] Bro 2.5 and FIPS
Importance: High


I'm attempting to run Bro 2.5 on a system that is in FIPS 140-2 compliance mode.  However, any time that I attempt to run anything Bro related, I end up with MD5 Digest errors, such as:

md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!

Is there any configuration in Bro somewhere that I can change to solve this, where Bro is compatible with a system that's FIPS enabled?  Is that something I would only be able to deal with when compiling Bro from source, or is there a way to run Bro at all in FIPS mode?

- Gary

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list