[Bro] [Non-DoD Source] Re: Bro 2.5 and FIPS

Weasel, Gary W Jr CIV DISA RE (US) gary.w.weasel2.civ at mail.mil
Fri Dec 9 06:40:08 PST 2016


Unfortunately it doesn't seem to be that simple.  Commenting out all the references to ANALYZER_MD5 in the scripts didn't make any difference in attempting to run the program, and it seems anything that uses the openssl md5 wrapper probably is what gets stopped.  I'm going through the code trying to see what happens if I just try to remove all the md5 usage for that wrapper, but honestly my current expectation is that this won't even succeed in make.

v/r
Gary W. Weasel, Jr. | Computer Engineer
Incident Response and Recovery Team, RE62
COM: 717.267.5777

-----Original Message-----
From: Johanna Amann [mailto:johanna at icir.org]
Sent: Thursday, December 8, 2016 2:09 PM
To: Hosom, Stephen M <hosom at battelle.org>
Cc: Weasel, Gary W Jr CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil>; bro at bro.org
Subject: [Non-DoD Source] Re: [Bro] Bro 2.5 and FIPS

All active links contained in this email were disabled.  Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.




----

Actually, MD5 certificates don't really happen anymore in practice, and
OpenSSL would do the verification itself, which probably won't give an
assertion.

While we don't support a configuration of Bro out of the Box that does
not use MD5, I think you might actually be able to accomplish this
without changing too much. I would try downloading the source, going
into scripts/base and commenting all calls that look like...

Files::add_analyzer(f, Files::ANALYZER_MD5);

There only are a few places that do that (mainly certificates are hashed
by default); however, I don't think we really need that. You probably
also need to stay away from using bloom filters. But - that might be
good enough to eliminate all traditional digest MD5 calls in the base
configuration.

Johanna

On 8 Dec 2016, at 10:15, Hosom, Stephen M wrote:

> The problem is caused by the fact that Bro needs to process certs that
> make use of md5 and in order to do that it uses the portions of
> OpenSSL that handle md5...which have been disabled. As for the fix?
> I'm not actually sure. No matter how you swing it, you really do want
> to be able to use those portions of the library for network monitoring
> purposes. The only thing I can think of that might get you out of this
> is to link against an alternate version of OpenSSL that you use solely
> for Bro that disables FIPS mode... that way you have it enabled for
> most applications, but disabled for Bro. I didn't have long to look
> into how FIPS mode is set, but it looks like in your case it may have
> been a build time option.
>
> -----Original Message-----
> From: bro-bounces at bro.org [Caution-mailto:bro-bounces at bro.org] On Behalf Of
> Weasel, Gary W Jr CIV DISA RE (US)
> Sent: Thursday, December 8, 2016 9:45 AM
> To: 'bro at bro.org' <bro at bro.org>
> Subject: [Bro] Bro 2.5 and FIPS
> Importance: High
>
> Hello,
>
> I'm attempting to run Bro 2.5 on a system that is in FIPS 140-2
> compliance mode.  However, any time that I attempt to run anything Bro
> related, I end up with MD5 Digest errors, such as:
>
> md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5
> forbidden in FIPS mode!
>
> Is there any configuration in Bro somewhere that I can change to solve
> this, where Bro is compatible with a system that's FIPS enabled?  Is
> that something I would only be able to deal with when compiling Bro
> from source, or is there a way to run Bro at all in FIPS mode?
>
> Thanks,
> - Gary
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> Caution-http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> Caution-http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list