External Email - Use Caution
My understanding is no environment variable setting like OPENSSL_FIPS=0 will allow md5 or other algorithms found in linux open source code to run which are not allowed under FIPS, e.g., see list, docs.oracle.com/cd/E36784_01/html/E54953/fips-notok-1.html Barring any environment override to turn off FIPS, and assuming you can’t boot into a non-FIPS enabled kernel to run Freesurfer, then one alternative could be to run a container or VM that is not FIPS enabled and in turn run Freesurfer in that. That container/VM could be constrained with specific userids, limited mount points, limited network connections, etc. There are examples of users running (even cloud based) container instances where they need to disable FIPS in order to run software/services, http://secure-web.cisco.com/1YPySRXdxKA8W9FNheIf6NOl70aLbr0Kl0TeGnNEk89j6ZUo... We currently don’t have resources to test Freesurfer in a FIPS environment. But I would not expect FS to run under FIPS given the list in the above link.. - R.
On Jul 24, 2023, at 12:26, Salomon, Ryan <rsalomon@upenn.edu> wrote: External Email - Use Caution Hello!I'm trying to support our users who use Freesurfer on our systems, but we are trying to keep to a rollout of FIPS, without the need to employ any hacks or the like, and I don't believe non-FIPS is an option on our systems. We still encounter the crypt() error on Freesurfer versions greater than 7.1.1, and again, non-FIPS is likely not an option. There is an environment variable workaround that has been mentioned elsewhere and it doesn't seem to be working for me for mri_deface at least, and again, I really would like to see a word about a proper solution. _______________________________________________Freesurfer mailing listFreesurfer@nmr.mgh.harvard.eduhttps://mail.nmr.mgh.harvard.edu/mailman/listinfo/freesurfer
External Email - Use Caution
Thanks! I suppose my query was ultimately more tightly focused...
I was wondering if the issue is confined to a very small amount of code in Freesurfer, such as for the licensing, that could be refactored to use ciphers that are approved under FIPS
________________________________ From: fsbuild fsbuild@contbay.com Sent: Tuesday, July 25, 2023 5:18 PM To: freesurfer@nmr.mgh.harvard.edu freesurfer@nmr.mgh.harvard.edu Cc: Salomon, Ryan rsalomon@upenn.edu Subject: Re: [Freesurfer] Any chance at all for an official proper fix for Freesurfer on FIPS?
My understanding is no environment variable setting like OPENSSL_FIPS=0 will allow md5 or other algorithms found in linux open source code to run which are not allowed under FIPS, e.g., see list,
docs.oracle.com/cd/E36784_01/html/E54953/fips-notok-1.html
Barring any environment override to turn off FIPS, and assuming you can’t boot into a non-FIPS enabled kernel to run Freesurfer, then one alternative could be to run a container or VM that is not FIPS enabled and in turn run Freesurfer in that. That container/VM could be constrained with specific userids, limited mount points, limited network connections, etc.
There are examples of users running (even cloud based) container instances where they need to disable FIPS in order to run software/services,
http://secure-web.cisco.com/1vEINZo3oeXaEfF8tJ1rZsHwA5ncU6XCBckTtX-aGrsKreVN...
We currently don’t have resources to test Freesurfer in a FIPS environment. But I would not expect FS to run under FIPS given the list in the above link..
- R.
On Jul 24, 2023, at 12:26, Salomon, Ryan rsalomon@upenn.edu wrote:
External Email - Use Caution
Hello! I'm trying to support our users who use Freesurfer on our systems, but we are trying to keep to a rollout of FIPS, without the need to employ any hacks or the like, and I don't believe non-FIPS is an option on our systems.
We still encounter the crypt() error on Freesurfer versions greater than 7.1.1, and again, non-FIPS is likely not an option. There is an environment variable workaround that has been mentioned elsewhere and it doesn't seem to be working for me for mri_deface at least, and again, I really would like to see a word about a proper solution. _______________________________________________ Freesurfer mailing list Freesurfer@nmr.mgh.harvard.edumailto:Freesurfer@nmr.mgh.harvard.edu https://secure-web.cisco.com/1f9bwxAOty2aIUfKcWHurrBOrN4wNvBlSgr7nkAfsVoMn3v...https://secure-web.cisco.com/1NephCeZykZm8nZ89bpJeTlomZpwzNMZcxW-GrConT7cbjkOTAcEDC1W8ASbLoPWeh2fW3mGMqfKdz0OPL6P2U1RxkEedlOceYk35hgcnzBzdP-WumANHSBqYvXABuQ53xIzyu1eEerowHu8OEh_zbJYlDLDYkH-6aoWXhtl3GhK273F1t2caOCFg_qy0hT8LOW_onctZERiutUQy-R7Q5El2yW28kp1uTdx4LbX5Y79hPMAHpO75lX2q_f_a2YWxuF6NR0ROifyRUSRqa0aVUVSf9EESzSGnOFMLZYv6NGQWEECWgTnUlikSQ3EmYhrT8GEY9MwpWVzvumvWU71PnNUxc_S4LS0doiO5IQ4u70A/https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fmail.nmr.mgh.harvard.edu%2Fmailman%2Flistinfo%2Ffreesurfer__;!!IBzWLUs!RVwAQiJM4ceN3akerTcz1V-4_IH4Q154mux7LKijr_mRjXl_UtXpP8ox0eIhFuIM0_rq_IKJ1a9bUqQVwg$
External Email - Use Caution
(sorry I split this as an additional email) Though I take your point about testing, although I'd be happy to test in FIPS if it helps our org and others!
Also yes, if ultimately it still can't or won't be done, I can look into containers for this client ________________________________ From: fsbuild fsbuild@contbay.com Sent: Tuesday, July 25, 2023 5:18 PM To: freesurfer@nmr.mgh.harvard.edu freesurfer@nmr.mgh.harvard.edu Cc: Salomon, Ryan rsalomon@upenn.edu Subject: Re: [Freesurfer] Any chance at all for an official proper fix for Freesurfer on FIPS?
My understanding is no environment variable setting like OPENSSL_FIPS=0 will allow md5 or other algorithms found in linux open source code to run which are not allowed under FIPS, e.g., see list,
docs.oracle.com/cd/E36784_01/html/E54953/fips-notok-1.html
Barring any environment override to turn off FIPS, and assuming you can’t boot into a non-FIPS enabled kernel to run Freesurfer, then one alternative could be to run a container or VM that is not FIPS enabled and in turn run Freesurfer in that. That container/VM could be constrained with specific userids, limited mount points, limited network connections, etc.
There are examples of users running (even cloud based) container instances where they need to disable FIPS in order to run software/services,
http://secure-web.cisco.com/1iEszMH2CmyG-ljUsLuIW-0dq-aSZ_XApH5MpUsmuTaGagjz...
We currently don’t have resources to test Freesurfer in a FIPS environment. But I would not expect FS to run under FIPS given the list in the above link..
- R.
On Jul 24, 2023, at 12:26, Salomon, Ryan rsalomon@upenn.edu wrote:
External Email - Use Caution
Hello! I'm trying to support our users who use Freesurfer on our systems, but we are trying to keep to a rollout of FIPS, without the need to employ any hacks or the like, and I don't believe non-FIPS is an option on our systems.
We still encounter the crypt() error on Freesurfer versions greater than 7.1.1, and again, non-FIPS is likely not an option. There is an environment variable workaround that has been mentioned elsewhere and it doesn't seem to be working for me for mri_deface at least, and again, I really would like to see a word about a proper solution. _______________________________________________ Freesurfer mailing list Freesurfer@nmr.mgh.harvard.edumailto:Freesurfer@nmr.mgh.harvard.edu https://secure-web.cisco.com/1qA7VWJmiC4DgcHOJX79xFlLiYv-WoUTtClaWc9b-wxj1EP...https://secure-web.cisco.com/1STKczBS_zWGZo3S3eVZrPcN7hmBW68vMzQjzLMY9IPR0DkR5e1g2kJGft79z3WwqmYG4CMIgtG6GH-G8bV4qpj8JLDL5allSJmvyTutuoVO3txf7ciqTWbTvRzUoZeuk71iw-2vS4TTQUoI-ZSHNk5LvP5FeBcd4ESrUJUxyOssBA6IyyAmB40rG545N4aA9xSpwr6QPRILa6RwymnLphVA7K-fJSXrnLZ2KRbpwrStb1z1jV7Hy8IstXfwkVQHFhdVkr63101CCW30Rs1ttBfVM9xHVj8ReBcbaMW1OCF0TAUB3VC8tEt9oDXstNnVD3OLtt5x93bgCurIXEOuZy2pGdaLO7PXVppDXFt1i19k/https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2F%2Fmail.nmr.mgh.harvard.edu%2Fmailman%2Flistinfo%2Ffreesurfer__;!!IBzWLUs!RVwAQiJM4ceN3akerTcz1V-4_IH4Q154mux7LKijr_mRjXl_UtXpP8ox0eIhFuIM0_rq_IKJ1a9bUqQVwg$
freesurfer@nmr.mgh.harvard.edu
-
fsbuild -
Salomon, Ryan