aronatkins
commented
4 years ago (Internal note: also see support ticket 38544)
Open jmcphers opened 5 years ago
aronatkins
commented
4 years ago (Internal note: also see support ticket 38544)
aronatkins
commented
4 years ago rsconnect shifted to openssl::md5 from digest::digest here (along with other changes): https://github.com/rstudio/rsconnect/pull/116
The digest::digest MD5 algorithm is not bound to the FIPS mode in OpenSSL.
hadley
commented
1 year ago Just a note from the linked PR that when we come to tackle this seriously, some MD5 uses can simply be ripped out in favour of assuming https.
We currently use OpenSSL's MD5 algorithm to add content checksums in several places. Generally we use this wrapper:
https://github.com/rstudio/rsconnect/blob/e6a7248acfb76d81e2ffff0837c43c34c70bf959/R/utils.R#L218-L219
However, some systems, most notably RHEL, can be placed into a FIPS compliant mode. The version of OpenSSL on these systems does not include MD5 since it's not considered a secure hash algorithm. Consequently, enabling FIPS mode on these systems removes the content checksums and with them the ability to publish content to Connect.
We should deprecate MD5 as a hash algorithm for content checksums; SHA-256 would be a better choice.
(Internal note: see support ticket 36904)