I have two CentOS 6.7 machines (server A and B). Same package versions are installed on each system.
Last week I enabled the openSSH FIPS 140-2 module on Server A, and that system works flawlessly (including tsql queries to a SQL Server instance).
Today I went through the same steps on Server B (in the link above). After rebooting, fips showed enabled and tested OK - but tsql (to the same SQL Server instance) stopped working with the following error:
[serverB ~]# tsql -S egServer80 -U myusername
Password:
locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
Adaptive Server connection failed
There was a problem connecting to the server
I check the log files and find this:
tsql: Libgcrypt warning: MD5 used - FIPS mode inactivated
Enabling debug in freetds yielded this additional error:
14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS internal error.
Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting set things back and I was again able to tsql into my SQL Server instance.
Both CentOS machines use the same libgcrypt version (1.4.5).
Why (or how) is enabling FIPS in grub causing libgcrypt to fail on this one machine? Clearly something configuration is off between the machines, but I cannot spot it, and have exhausted resources in finding where to look next.
NOTE #1:
I can reproduce the tsql problem on Server B without enabling FIPS 140-2 in grub, by creating an empty file /etc/gcrypt/fips_enabled. Removing this file sets the system back to normal, and tsql works again.
NOTE #2:
Adding file /etc/gcrypt/fips_enabled on Server A does not affect tsql function at all.
Additional Information
libgcrypt version 1.4.5
freetds version 0.91
openssl version 1.0.1e
CentOS version 6.7