I'm attempting to install a FreeRADIUS server on a RHEL 6.9 VM. This VM is operating in FIPS mode. I'm running into the problem described in a Red Hat bug report found here.
According to that bug report from March of 2015 the RADIUS protocol requires MD5 support. FreeRADIUS (and RADIUS) can therefore not be supported in FIPS mode.
I'm hoping that in the 3 years that have transpired since that bug report there's been a fix or workaround that I can implement to get around this issue. Unfortunately, I'm restricted to running in FIPS mode per DISA STIG requirements. Is anyone aware of a way to get FreeRADIUS to work on a machine that's operating in FIPS mode?
It seems as though the FreeRADIUS packages being used are being built with the internal MD5 functions enabled, and as such, they're not reliant on OpenSSL's MD5 implementation. This means in this instance, FreeRADIUS will work with OpenSSL in FIPS mode.
For FreeRADIUS 4 (the next major version), I've implemented runtime checking to swap in internal functions if OpenSSL is in FIPS mode, and to use the OpenSSL functions if it is not in FIPS mode.
There are two reasons we want to use the OpenSSL functions over the internal ones when we can:
As you've posted in the comments, certain other algorithms used by TLS may be unavailable. It should be possible to work around any disabled algorithms, by setting an explicit cipher list in the EAP module configuration and in the relevant RADSEC TLS section (TLS config parsing is common code).