Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node-red does not run on a FIPS crypto policy enabled OS #1049

Open
JaysonHurst opened this issue Feb 16, 2024 · 2 comments
Open

Node-red does not run on a FIPS crypto policy enabled OS #1049

JaysonHurst opened this issue Feb 16, 2024 · 2 comments

Comments

@JaysonHurst
Copy link
Contributor

node-red: v3.1.5
node: v18.18.2
OS: Rocky Linux 9.3.
npm version 9.8.1

To reproduce this issue:
Enable FIPS crypto policy, then start node-red.

Fails with the following error:

 - [warn] Error loading flows: Error: error:0308010C:digital envelope routines::unsupported
 - [red] Uncaught Exception:
 - [error] Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:69:19)
    at Object.createHash (node:crypto:133:10)
    at editor (/usr/local/lib/node_modules/node-red/node_modules/@node-red/editor-api/lib/editor/ui.js:102:34)
    at Layer.handle [as handle_request] (/usr/local/lib/node_modules/node-red/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/local/lib/node_modules/node-red/node_modules/express/lib/router/route.js:144:13)
    at ensureSlash (/usr/local/lib/node_modules/node-red/node_modules/@node-red/editor-api/lib/editor/ui.js:50:13)
    at Layer.handle [as handle_request] (/usr/local/lib/node_modules/node-red/node_modules/express/lib/router/layer.js:95:5)
    at next (/usr/local/lib/node_modules/node-red/node_modules/express/lib/router/route.js:144:13)
    at /usr/local/lib/node_modules/node-red/node_modules/@node-red/editor-api/lib/editor/index.js:39:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

This failure is occurring because node-red is using the MD5 hash algorithm which is outdated and non-FIPS compliant.

If I check out the code and fix the issues with the md5 hash, node-red will start up fine, but then I see errors in the node-red-nodes email node with the similar problems.

I have a PR that I would like to submit to fix this issue for both node-red and node-red-nodes email node.
@hardillb
Copy link
Member

The md5 used in the editor API is just to generate a HTTP Cache busting value. The use of MD5 here is perfectly valid as it's not being used to ensure integrity of anything, just to signal that it has changed

Using another hash like SHA1 instead shouldn't be a problem. Please raise the PR and we can review it.

As for the email node, I don't see any use of the ms5 hash in the node's code it's self but I full expect most of the dependencies do as CRAM-MD5 is a possible email authentication mechanism. You may have to talk to the dependencies to see if they provide options to disable that option. (but please raise an issue against the node-red/node-red-modules project if you think there is a change required against the email node it's self)

@JaysonHurst
Copy link
Contributor Author

JaysonHurst commented Feb 16, 2024
edited

The email node doesn't directly call for a MD5 hash, but allows for the underlying code to determine one for it. Which by default is MD5, calling simpleParser with an optional checksumAlgo:'sha256' resolves the issue.

I plan on raising a second PR for the email node.

@JaysonHurst JaysonHurst mentioned this issue Feb 17, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hardillb @JaysonHurst