[jira] [Commented] (CASSANDRA-20512) Investigate the usage of FIPS-certified Amazon Corretto Crypto Provider

[Stefan Miklosovic (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20512?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940916#comment-17940916
 ] 

Stefan Miklosovic commented on CASSANDRA-20512:
-----------------------------------------------

-FIPS dependency does not seem to break anything so far.

[CASSANDRA-20512|https://github.com/instaclustr/cassandra/tree/CASSANDRA-20512]
{noformat}
java17_pre-commit_tests                         
  ✓ j17_build                                        5m 54s
  ✓ j17_cqlsh_dtests_py311                           6m 59s
  ✓ j17_cqlsh_dtests_py311_vnode                     7m 32s
  ✓ j17_cqlsh_dtests_py38                            7m 16s
  ✓ j17_cqlsh_dtests_py38_vnode                      7m 25s
  ✓ j17_cqlshlib_cython_tests                        7m 59s
  ✓ j17_cqlshlib_tests                               10m 9s
  ✓ j17_dtests_vnode                                42m 23s
  ✓ j17_unit_tests                                  15m 30s
  ✓ j17_utests_latest                               15m 49s
  ✓ j17_utests_oa                                   15m 14s
  ✕ j17_dtests                                      39m 43s
      refresh_test.TestRefresh test_refresh_deadlock_startup
  ✕ j17_dtests_latest                               42m 47s
      largecolumn_test.TestLargeColumn test_cleanup
  ✕ j17_jvm_dtests                                  29m 30s
      org.apache.cassandra.fuzz.sai.MultiNodeSAITest mixedFilteringSaiTest 
TIMEOUTED
  ✕ j17_jvm_dtests_latest_vnode                     27m 16s
      org.apache.cassandra.fuzz.sai.MultiNodeSAITest indexOnlySaiTest TIMEOUTED 
                           
{noformat}

[java17_pre-commit_tests|https://app.circleci.com/pipelines/github/instaclustr/cassandra/5722/workflows/f76825f8-61cf-42c0-85e3-e4926ff4ef10]

I think that we should not _force_ people to use -FIPS version of it, we might 
just ship it along and there might be a switch to flip to use that if somebody 
wants to opt-in.

I want to also reach LEGAL to ask if there are any blockers as in shipping 
-FIPS version of it in tarball. No clue how it works on that front. 


> Investigate the usage of FIPS-certified Amazon Corretto Crypto Provider
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-20512
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20512
>             Project: Apache Cassandra
>          Issue Type: Task
>          Components: Legacy/Core
>            Reporter: Stefan Miklosovic
>            Priority: Normal
>
> We are using version 2.2.0 which is almost 2 years old. There is 2.5.0 
> already.
> What is very interesting is that from 2.3.0, they are also offering 
> FIPS-certified version of that. (1, 2, 3).
> (1)https://github.com/corretto/amazon-corretto-crypto-provider?tab=readme-ov-file#notes-on-accp-fips
> (2) 
> https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816
> (3) https://github.com/aws/aws-lc/blob/main/crypto/fipsmodule/FIPS.md
> https://central.sonatype.com/artifact/software.amazon.cryptools/AmazonCorrettoCryptoProvider-FIPS/2.5.0/versions



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org