List of RHEL 8 applications using cryptography that are not compliant with FIPS 140-2

Updated -

Red Hat recommends to utilize libraries from the core crypto components set, as they are guaranteed to pass all relevant crypto certifications, such as FIPS 140-2, and also follow the RHEL system-wide crypto policies. See the RHEL 8 core crypto components article for an overview of the RHEL 8 core crypto components, the information on how are they selected, how are they integrated into the operating system, how do they support hardware security modules and smart cards, and how do crypto certifications apply to them.

The following table is a list of RHEL 8 applications that do not use one of the core crypto components, and therefore break the RHEL 8 FIPS compliance story:

Application Details
Dnsmasq Uses nettle directly instead of GnuTLS
FreeRADIUS The RADIUS protocol uses MD5
ghostscript Own crypto (MD5, RC4, SHA-2, AES) to encrypt and decrypt documents
ipxe Crypto stack for TLS is compiled in, however, it is unused
java-1.8.0-openjdk Full crypto stack 1
Ovmf (UEFI firmware), Edk2, shim Full crypto stack (an embedded copy of the OpenSSL library)
perl-Digest-HMAC HMAC, HMAC-SHA1, HMAC-MD5
perl-Digest-SHA SHA-1, SHA-224, ...
pidgin DES, RC4
podman, buildah OpenPGP crypto stack 2
postgresql Blowfish crypt
samba AES, DES, RC4
valgrind AES, hashes 3

  1. on RHEL 8.1, java-1.8.0-openjdk requires additional manual configuration to be FIPS-compliant 

  2. uses GnuPG for signature verification but contains own crypto to implement the extraction of data without verification which is explicitly requested by the user 

  3. re-implements in software hardware offload operations, such as AES-NI