You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by GitBox <gi...@apache.org> on 2018/07/16 21:03:07 UTC

[GitHub] nickva closed pull request #294: Add troubleshooting information for FIPS mode and workaround (#1171)

nickva closed pull request #294: Add troubleshooting information for FIPS mode and workaround (#1171)
URL: https://github.com/apache/couchdb-documentation/pull/294
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/src/install/troubleshooting.rst b/src/install/troubleshooting.rst
index 408d607..b3758c6 100644
--- a/src/install/troubleshooting.rst
+++ b/src/install/troubleshooting.rst
@@ -276,6 +276,33 @@ the relevant CouchDB and then compact prior to replicating.
 Alternatively, if the number of documents impacted is small, use filtered
 replication to exclude only those documents.
 
+FIPS mode
+---------
+
+Operating systems can be configured to disallow the use of OpenSSL MD5 hash
+functions in order to prevent use of MD5 for cryptographic purposes. CouchDB
+makes use of MD5 hashes for verifying the integrity of data (and not for
+cryptography) and will not run without the ability to use MD5 hashes.
+
+The message below indicates that the operating system is running in "FIPS mode,"
+which among other restrictions does not allow the use of OpenSSL's MD5 funtions:
+
+.. code-block:: text
+
+    md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
+    [os_mon] memory supervisor port (memsup): Erlang has closed
+    [os_mon] cpu supervisor port (cpu_sup): Erlang has closed
+    Aborted
+
+A workaround for this is provided with the ``--erlang-md5`` compile flag. Use of
+the flag results in CouchDB substituting the OpenSSL MD5 function calls with
+equivalent calls to Erlang's built-in library ``erlang:md5.`` NOTE: there may be
+a performance penalty associated with this workaround.
+
+Because CouchDB does not make use of MD5 hashes for cryptographic purposes, this
+workaround does not defeat the purpose of "FIPS mode," provided that the system
+owner is aware of and consents to its use.
+
 macOS Known Issues
 ====================
 undefined error, exit_status 134


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services