Notifications not being sent with warning "error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips"

[adrya.stembridge@…]

I recently upgraded our server from EL6 to EL7, however the major change is that this system is now running in FIPS mode.

Trac works OK, except that when I submit a new ticket or reply to an existing ticket, the following error appears at the top of the Trac view:

Warning: The ticket has been created, but an error occurred while sending notifications: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

I have loglevel set to DEBUG in trac.ini, however nothing is being written there that has the same timestamp of the ticket addition/reply.

I am able to send mail from command line using mail user@example.com with the standard options.

Here is the notifications section of trac.ini

[notification]
admit_domains =
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
default_email_format = text/html
email_sender = SendmailEmailSender
ignore_domains =
mime_encoding = none
sendmail_path = /usr/sbin/sendmail
smtp_always_bcc = 
smtp_always_cc =
smtp_default_domain =
smtp_enabled = true
smtp_from = trac@localhost
smtp_from_name =
smtp_password =
smtp_port = 25
smtp_replyto = trac@localhost
smtp_server = localhost

The sendmail path is valid, so what else would cause TRAC to generate the "error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips" error message?

---

System Information

Package	Version
Trac 	1.0.10
Babel 	0.9.6
Genshi 	0.7 (with speedups)
mod_wsgi 	3.4 (WSGIProcessGroup WSGIApplicationGroup %{GLOBAL})
pysqlite 	2.6.0
Python 	2.7.5 (default, Aug 9 2016, 05:27:46) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]
setuptools 	0.9.8
SQLite 	3.7.17
jQuery	1.7.2
jQuery UI	1.8.21
jQuery Timepicker	1.0.1

[Ryan J Ollos]

According to what I've read, md5 isn't allowed on a FIPS compliant system. There are two instances of md5 used in notification module: tags/trac-1.0.10/trac/ticket/notification.py@:467,614#L462​. Maybe we should use sha1 or another algorithm.

[Ryan J Ollos]

Could you try t12562.diff​?

[anonymous]

t12562.diff worked. Got my first email notification just now.

[Ryan J Ollos]

Thanks for testing. I'll wait to hear if any other devs have an opinion about the patch.

[Jun Omae]

That patch would change Message-ID and break email threading. I think we should keep it if possible.

[Ryan J Ollos]

The email threading issue didn't worry me too much. Other solutions are welcome.

[Jun Omae]

I've noticed Message-ID in ticket notification is changed from 1.0-stable to 1.2-stable but didn't investigate it.

1.0-stable: MD5 with env.project_url, '%08d' % ticket.id, 0 and recipient address are used at tags/trac-1.0.12/trac/ticket/notification.py#L462​:

http://localhost/project.url.00000001.0."Joe User" <joe.user@example.org>

1.2-stable: MD5 with env.project_url, ticket id, 0 and event's realm are used in new notification system at branches/1.2-stable/trac/notification/mail.py@14877:379-381#L364​:

http://localhost/project.url.1.0.ticket

I don't want the changes of Message-ID between 1.0-stable and 1.2-stable but it's hard to make same.

[Jun Omae]

What about adding [notification] message_id_hash option to specify hash algorithm? jomae.git@t12562_1.0

In addition, jomae.git@t12562_1.2 includes fix to keep Message-ID between 1.2-stable and 1.0-stable.

[Ryan J Ollos]

The changes look like the best option for resolving the issue.

[Jun Omae]

Thanks for the reply. Committed in [15080-15084].

[anonymous]

trac was updated to 1.0.13 yesterday (by yum), and I started getting a similar error again.

I added

message_id_hash = sha1

To the trac.ini → [notification] section, restarted apache, and am getting email notifications again.

Thanks again for the patch and update.