[Bro] Bro 2.5 and FIPS

Johanna Amann johanna at icir.org
Thu Dec 8 11:09:27 PST 2016 

Actually, MD5 certificates don't really happen anymore in practice, and 
OpenSSL would do the verification itself, which probably won't give an 
assertion.

While we don't support a configuration of Bro out of the Box that does 
not use MD5, I think you might actually be able to accomplish this 
without changing too much. I would try downloading the source, going 
into scripts/base and commenting all calls that look like...

Files::add_analyzer(f, Files::ANALYZER_MD5);

There only are a few places that do that (mainly certificates are hashed 
by default); however, I don't think we really need that. You probably 
also need to stay away from using bloom filters. But - that might be 
good enough to eliminate all traditional digest MD5 calls in the base 
configuration.

Johanna

On 8 Dec 2016, at 10:15, Hosom, Stephen M wrote:

> The problem is caused by the fact that Bro needs to process certs that 
> make use of md5 and in order to do that it uses the portions of 
> OpenSSL that handle md5...which have been disabled. As for the fix? 
> I'm not actually sure. No matter how you swing it, you really do want 
> to be able to use those portions of the library for network monitoring 
> purposes. The only thing I can think of that might get you out of this 
> is to link against an alternate version of OpenSSL that you use solely 
> for Bro that disables FIPS mode... that way you have it enabled for 
> most applications, but disabled for Bro. I didn't have long to look 
> into how FIPS mode is set, but it looks like in your case it may have 
> been a build time option.
>
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of 
> Weasel, Gary W Jr CIV DISA RE (US)
> Sent: Thursday, December 8, 2016 9:45 AM
> To: 'bro at bro.org' <bro at bro.org>
> Subject: [Bro] Bro 2.5 and FIPS
> Importance: High
>
> Hello,
>
> I'm attempting to run Bro 2.5 on a system that is in FIPS 140-2 
> compliance mode.  However, any time that I attempt to run anything Bro 
> related, I end up with MD5 Digest errors, such as:
>
> md5_dgst.c(80): OpenSSL internal error, assertion failed: Digest MD5 
> forbidden in FIPS mode!
>
> Is there any configuration in Bro somewhere that I can change to solve 
> this, where Bro is compatible with a system that's FIPS enabled?  Is 
> that something I would only be able to deal with when compiling Bro 
> from source, or is there a way to run Bro at all in FIPS mode?
>
> Thanks,
> - Gary
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list