Getting Redmine to use SHA256 validation instead of MD5

Added by Shane Coles 6 months ago

I've been searching for hours on how to do this now. I am migrating Redmine to a FIPS validated server and having an issue where I cannot access attachments nor view the repository from within a Project.

The error I am getting is:
"OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!"

Another point of reference is that on my Information page from within Redmine, I see the red icon indicating a failure on the "Attachment directory writable", and "Plugin assets directory writable (./plugin/plugin_assets)". I have ensured that both of those folders are owned by the "Redmine" user and that they have full permissions on them.

I'm not sure what else to change, but if I'm understanding this correctly the issue is that Redmine is using MD5, and I need the ability to have it use SHA256.

Is there a way to change this?

There were a couple other forum that mentioned this issue, but I did not find a resolution among them. Any help anyone has on putting Redmine on a FIPS validated server would be very much appreciated.

Thanks!

Replies (7)

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Shane Coles 6 months ago

I figured out that the red exclamation point on the Plugin and Attachment directories was not related. I fixed that issue by changing ownership to the Apache user instead of the Redmine user.

The SHA256 issue still remains. If anyone has ideas about how to get Redmine to use SHA256 instead of MD5, that would be very helpful.

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Jens Krämer 6 months ago

Redmine since 3.4 uses SHA256 digests by default for new attachments. In order to upgrade existing digests, call Attachment.update_digests_to_sha256 in a console after upgrading your Redmine.

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Shane Coles 6 months ago

Thanks for the Response Jens. I have upgraded to 4.2. Will running that command address the issues with viewing the repository and the "Activity" pages as well? On both of those pages I was getting FIPS validation errors complaining about the MD5 issues. Perhaps there is a separate update command for the other pages?

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Pavel Rosický 6 months ago

Jeans - you're right, but any use of MD5 is a problem and there's no migration script to change it.

I think the change should be ok for cache key calculations like this (but you have to clear caches when you change it)
https://github.com/redmine/redmine/blob/3e36b5c452210da457cb6c16385551414071693f/lib/redmine/wiki_formatting.rb#L108

```ActiveSupport::Digest.hexdigest``` looks like a good replacement made for this purpose
https://github.com/rails/rails/blob/main/activesupport/lib/active_support/digest.rb

however, gravatars api doesn't support anything else than MD5
https://gitlab.com/gitlab-org/gitlab/-/issues/19495

I guess we have to disable it if the algorithm isn't available as the community suggests.

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Shane Coles 6 months ago

Thanks for the reply, but I'm not really sure where to go with that. Am I just out of luck, or is there actually a way to disable as you mention at the end there? Disabling it might be just as good as switching to SHA256. Just so long as it passes the FIPS validation that would be great.

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Shane Coles 5 months ago

Part of this conversation took place offline, but I wanted to make sure and post the resolution here in case anyone else ever comes across this need. In fact this is something that might make a valuable addition to Redmine in a future release. All of these steps came courtesy of Jens Kramer, so thanks for the help!

To make this work, the all references to MD5 need to be changed to SHA256 in the following files under the Redmine folder. In other words, change Digest::MD5 to Digest::SHA256:

lib/redmine/wiki_formatting.rb
lib/redmine/wiki_formatting/markdown/formatter.rb
lib/redmine/wiki_formatting/textile/formatter.rb
app/controllers/repositories_controller.rb
app/views/repositories/_dir_list_content.html.erb

Then there may remain an issue where MD5 is used in Rails itself (this was true in my case). To fix this, you need to create a file under the Redmine folder as 'config/initializers/fips.rb'. In this file place only this line of text:

ActiveSupport::Digest.hash_digest_class = Digest::SHA1

Last part can by SHA256 or SHA1, I used SHA256. This solution is working for me now! Thanks again!

RE: Getting Redmine to use SHA256 validation instead of MD5 - Added by Shane Coles 5 months ago

A couple other quick notes on this before I forget, I also was upgrading an old server, and as such I had the wrong width of digest data. For my server I needed to:

1. Login to rails console. Go to the Redmine folder, enter the command:
rails console
2. Use this command to convert the data:
Attachment.update_digests_to_sha256

I also spent a while trying to play with this file here, you should not need to do so, I reverted everything I did to that file and it works right:
app/models/attachment.rb

(1-7/7)