Edgewall Software
Modify

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#12562 closed defect (fixed)

Notifications not being sent with warning "error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips"

Reported by: adrya.stembridge@… Owned by: Jun Omae
Priority: high Milestone: 1.0.13
Component: notification Version: 1.0.10
Severity: normal Keywords: fips, md5, sendmail, error
Cc: Branch:
Release Notes:

Added [notification] message_id_hash option to specify hash algorithm instead of md5 in FIPS mode.

API Changes:
Internal Changes:

Description

I recently upgraded our server from EL6 to EL7, however the major change is that this system is now running in FIPS mode.

Trac works OK, except that when I submit a new ticket or reply to an existing ticket, the following error appears at the top of the Trac view:

Warning: The ticket has been created, but an error occurred while sending notifications: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

I have loglevel set to DEBUG in trac.ini, however nothing is being written there that has the same timestamp of the ticket addition/reply.

I am able to send mail from command line using mail user@example.com with the standard options.

Here is the notifications section of trac.ini

[notification]
admit_domains =
always_notify_owner = true
always_notify_reporter = true
always_notify_updater = true
default_email_format = text/html
email_sender = SendmailEmailSender
ignore_domains =
mime_encoding = none
sendmail_path = /usr/sbin/sendmail
smtp_always_bcc = 
smtp_always_cc =
smtp_default_domain =
smtp_enabled = true
smtp_from = trac@localhost
smtp_from_name =
smtp_password =
smtp_port = 25
smtp_replyto = trac@localhost
smtp_server = localhost

The sendmail path is valid, so what else would cause TRAC to generate the "error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips" error message?


System Information

Package	Version
Trac 	1.0.10
Babel 	0.9.6
Genshi 	0.7 (with speedups)
mod_wsgi 	3.4 (WSGIProcessGroup WSGIApplicationGroup %{GLOBAL})
pysqlite 	2.6.0
Python 	2.7.5 (default, Aug 9 2016, 05:27:46) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]
setuptools 	0.9.8
SQLite 	3.7.17
jQuery	1.7.2
jQuery UI	1.8.21
jQuery Timepicker	1.0.1

Attachments (1)

t12562.diff (1.3 KB ) - added by Ryan J Ollos 4 years ago.

Download all attachments as: .zip

Change History (14)

comment:1 by anonymous, 4 years ago

Keywords: fips md5 sendmail error added

comment:2 by Ryan J Ollos, 4 years ago

According to what I've read, md5 isn't allowed on a FIPS compliant system. There are two instances of md5 used in notification module: tags/trac-1.0.10/trac/ticket/notification.py@:467,614#L462. Maybe we should use sha1 or another algorithm.

by Ryan J Ollos, 4 years ago

Attachment: t12562.diff added

comment:3 by Ryan J Ollos, 4 years ago

Could you try t12562.diff?

comment:4 by anonymous, 4 years ago

t12562.diff worked. Got my first email notification just now.

comment:5 by Ryan J Ollos, 4 years ago

Milestone: 1.0.13

Thanks for testing. I'll wait to hear if any other devs have an opinion about the patch.

comment:6 by Jun Omae, 4 years ago

That patch would change Message-ID and break email threading. I think we should keep it if possible.

comment:7 by Ryan J Ollos, 4 years ago

The email threading issue didn't worry me too much. Other solutions are welcome.

Last edited 4 years ago by Ryan J Ollos (previous) (diff)

comment:8 by Jun Omae, 4 years ago

I've noticed Message-ID in ticket notification is changed from 1.0-stable to 1.2-stable but didn't investigate it.

1.0-stable: MD5 with env.project_url, '%08d' % ticket.id, 0 and recipient address are used at tags/trac-1.0.12/trac/ticket/notification.py#L462:

http://localhost/project.url.00000001.0."Joe User" <joe.user@example.org>

1.2-stable: MD5 with env.project_url, ticket id, 0 and event's realm are used in new notification system at branches/1.2-stable/trac/notification/mail.py@14877:379-381#L364:

http://localhost/project.url.1.0.ticket

I don't want the changes of Message-ID between 1.0-stable and 1.2-stable but it's hard to make same.

comment:9 by Jun Omae, 4 years ago

What about adding [notification] message_id_hash option to specify hash algorithm? jomae.git@t12562_1.0

In addition, jomae.git@t12562_1.2 includes fix to keep Message-ID between 1.2-stable and 1.0-stable.

comment:10 by Ryan J Ollos, 4 years ago

The changes look like the best option for resolving the issue.

comment:11 by Jun Omae, 4 years ago

Release Notes: modified (diff)
Resolution: fixed
Status: newclosed

Thanks for the reply. Committed in [15080-15084].

comment:12 by Jun Omae, 4 years ago

Owner: set to Jun Omae

comment:13 by anonymous, 4 years ago

trac was updated to 1.0.13 yesterday (by yum), and I started getting a similar error again.

I added

message_id_hash = sha1

To the trac.ini → [notification] section, restarted apache, and am getting email notifications again.

Thanks again for the patch and update.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jun Omae.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jun Omae to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.