External Email - Use Caution        

Thanks!
I suppose my query was ultimately more tightly focused...

I was wondering if the issue is confined to a very small amount of code in Freesurfer, such as for the licensing,  that could be refactored to use ciphers that are approved under FIPS

From: fsbuild <fsbuild@contbay.com>
Sent: Tuesday, July 25, 2023 5:18 PM
To: freesurfer@nmr.mgh.harvard.edu <freesurfer@nmr.mgh.harvard.edu>
Cc: Salomon, Ryan <rsalomon@upenn.edu>
Subject: Re: [Freesurfer] Any chance at all for an official proper fix for Freesurfer on FIPS?
 
My understanding is no environment variable setting like OPENSSL_FIPS=0 will allow md5 or other algorithms found in linux open source code to run which are not allowed under FIPS, e.g., see list,

docs.oracle.com/cd/E36784_01/html/E54953/fips-notok-1.html

Barring any environment override to turn off FIPS, and assuming you can’t boot into a non-FIPS enabled kernel to run Freesurfer, then one alternative could be to run a container or VM that is not FIPS enabled and in turn run Freesurfer in that.  That container/VM could be constrained with specific userids,  limited mount points, limited network connections, etc.

There are examples of users running (even cloud based) container instances where they need to disable FIPS in order to run software/services,

www.ibm.com/docs/en/cloud-private/3.2.0?topic=guide-enabling-disabling-fips-mode

We currently don’t have resources to test Freesurfer in a FIPS environment.  But I would not expect FS to run under FIPS given the list in the above link..

- R.

On Jul 24, 2023, at 12:26, Salomon, Ryan <rsalomon@upenn.edu> wrote:

        External Email - Use Caution        

Hello!
I'm trying to support our users who use Freesurfer on our systems, but we are trying to keep to a rollout of FIPS, without the need to employ any hacks or the like, and I don't believe non-FIPS is an option on our systems. 

We still encounter the crypt() error on Freesurfer versions greater than 7.1.1, and again, non-FIPS is likely not an option. 
There is an environment variable workaround that has been mentioned elsewhere and it doesn't seem to be working for me for mri_deface at least, and again, I really would like to see a word about a proper solution. 
_______________________________________________
Freesurfer mailing list
Freesurfer@nmr.mgh.harvard.edu
MailScanner has detected a possible fraud attempt from "secure-web.cisco.com" claiming to be https://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer