MD5 warning message using host, dig, nslookup (bind-utils) on SLES 12 SP5 with FIPS enabled.

jmlutz · November 9, 2020, 7:49pm

Hi. I have noticed that whenever I use any of the bind-utils (host, dig, nslookup) on a patched version of SLES 12 SP5 with FIPS enabled, I receive the following warning message.
jlutz@testsles12:~> host 192.168.1.1
hmac_link.c:350: FIPS mode is 1: MD5 is only supported if the value is 0.
Please disable either FIPS mode or MD5.
1.1.168.192.in-addr.arpa domain name pointer www.routerlogin.com.

I am wondering how one can disable MD5 in order to get rid of this message. We are not able to disable FIPS as it’s required within our environment. The version of bind-utils that created this message is ‘bind-utils-9.11.22-3.22.1.x86_64’. Thanks.

Andreas1 · November 10, 2020, 10:22pm

Did you configure openssl correct for FIPS mode as described in FIPS 140-2 security policy for SLES 12 OpenSSL module, chapter 9.1?
https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3038.pdf

https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=suse&CertificateStatus=Active&ValidationYear=0
host from bind-utils use OpenSSL for MD5 usage. And MD5 is not allowed while FIPS mode is on. See FIPS 140-2 security policy for more information.
You should open a service request in SCC (SUSE Customer Center).

Topic		Replies	Views
MD5 not allowed in FIPS 140-2 mode, using SHA-1 for key fing SLES Configure-Administer	3	307	March 7, 2019
Disable TLS 1.0 and 1.1 in SLES12 SP5 SUSE Linux Enterprise Server	0	42	April 1, 2024
Unable to initialize FIPS mode for strongswan in SLES 11 sp SLES Networking	2	183	May 19, 2014
Disable Weak Ciphers from SSH SLES Configure-Administer	1	437	June 9, 2017
Heartbleed and SuSE Servers! SLES Configure-Administer	5	197	April 11, 2014

MD5 warning message using host, dig, nslookup (bind-utils) on SLES 12 SP5 with FIPS enabled.

Related Topics