> So it means the change is only on the client side, not the broker side?
pulsar-functions also depend on BC. In the Pulsar, we only use the BC or BC-FIPS, right now we are using the BC. > we could consider that in the future. current way is to align with the old manner. I talked to jia, BC is used for compatibility with old users. Maybe we shouldn't break that. Asaf Mesika <asaf.mes...@gmail.com> 于2023年3月6日周一 20:03写道: > So it means the change is only on the client side, not the broker side? > > > On Fri, Mar 3, 2023 at 11:42 AM Zixuan Liu <node...@gmail.com> wrote: > > > Hi all, > > > > We only use the BC to encrypt the message, not TLS, so I think we can > > migrate to the BC-FIPS. > > > > If you think it's feasible, I'll try to do it, and if it doesn't pass the > > Pulsar test, I'll keep using the BC. > > > > Thanks, > > Zixuan > > > > > > > > YuWei Sung <yuwei.s...@streamnative.io.invalid> 于2023年3月2日周四 00:40写道: > > > > > BC and BC-FIPS differences are the cipher suites. This is similar to > > TLS1.1 > > > vs 1.2 vs 1.3. Some suites are deprecated (not secured enough due to > > > compute power improvement). > > > in TLS 1.3, client has no chance to specific weak cipher suites to > > connect > > > to server and exploit the weakness. > > > For BC-FIPS harden pulsar cluster, brokers should reject connections > from > > > clients with BC (clients must use Security.provider bc-fips). > > > For BC non fips cluster, it should be flexible. client with bc-fips or > bc > > > should be able to connect to pulsar (bc). > > > > > > <https://streamnative.io> > > > > > > > > > Yu Wei Sung > > > > > > Sr. Solutions Engineer > > > > > > > > > streamnative.io > > > > > > <http://github.com/streamnative> > > > <https://www.linkedin.com/company/streamnative/> > > > <https://twitter.com/streamnativeio/> > > > > > > > > > On Wed, Mar 1, 2023 at 10:28 AM Zixuan Liu <node...@gmail.com> wrote: > > > > > > > > Actually I was expecting that part of the discussion will specify > the > > > > > difference between using FIPS compared with non-FIPS, in each > > > > BouncyCastle > > > > > usage: TLS and message encryption. > > > > > > > > Good catch! I'll check this. > > > > > > > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年3月1日周三 21:19写道: > > > > > > > > > On Mon, Feb 27, 2023 at 4:35 PM Zixuan Liu <node...@gmail.com> > > wrote: > > > > > > > > > > > > users might get exceptions if they don't use specific > algorithms > > or > > > > > > encryption schemes? > > > > > > > > > > > > Could you share more info about this? > > > > > > > > > > > > > > > > Actually I was expecting that part of the discussion will specify > the > > > > > difference between using FIPS compared with non-FIPS, in each > > > > BouncyCastle > > > > > usage: TLS and message encryption. > > > > > > > > > > I imagined that FIPS has a shorter list of ciphers it supports. > > > > > > > > > > > > > > > > > > > > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月27日周一 18:01写道: > > > > > > > > > > > > > So if I understand you correctly, once you switch to the FIPS > > > version > > > > > of > > > > > > > Bouncy Castle, users might get exceptions if they don't use > > > specific > > > > > > > algorithms or encryption schemes? > > > > > > > Potentially a breaking change? > > > > > > > You can't switch it off via config? > > > > > > > > > > > > > > On Wed, Feb 22, 2023 at 3:56 PM Zixuan Liu <node...@gmail.com> > > > > wrote: > > > > > > > > > > > > > > > > 1. What is FIPS? > > > > > > > > > > > > > > > > FIPS (Federal Information Processing Standards) are a set of > > > > > standards > > > > > > > that > > > > > > > > describe document processing, encryption algorithms and other > > > > > > information > > > > > > > > technology standards for use within non-military government > > > > agencies > > > > > > and > > > > > > > by > > > > > > > > government contractors and vendors who work with the > agencies. > > > > > > > > > > > > > > > > > 2. Why is the FIPS version safer exactly? > > > > > > > > > > > > > > > > FIPS standard is strict. When using the FIPS version, this is > > > also > > > > > very > > > > > > > > strict and standard. > > > > > > > > > > > > > > > > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > > > > > > > > > > > We use the bouncycastle as the TLS provider, and used for > the > > > > > > end-to-end > > > > > > > > message encryption. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > Zixuan > > > > > > > > > > > > > > > > Asaf Mesika <asaf.mes...@gmail.com> 于2023年2月22日周三 21:23写道: > > > > > > > > > > > > > > > > > Can you elaborate a bit: > > > > > > > > > 1. What is FIPS? > > > > > > > > > 2. Why is the FIPS version safer exactly? > > > > > > > > > 3. What is bouncycastle used exactly in Pulsar? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Feb 22, 2023 at 11:58 AM Zixuan Liu < > > node...@gmail.com > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > > > > > > > I would like to discuss using the bouncycastle fips > instead > > > of > > > > > the > > > > > > > > > > bouncycastle non-fips. > > > > > > > > > > > > > > > > > > > > The bouncycastle is a Java library that complements the > > > default > > > > > > Java > > > > > > > > > > Cryptographic Extension (JCE), which has two versions: > fips > > > > > version > > > > > > > and > > > > > > > > > > non-fips version. > > > > > > > > > > > > > > > > > > > > The fips version is safer than non-fips. When the > security > > > > level > > > > > is > > > > > > > > very > > > > > > > > > > high, many policies require the fips version, but the > > Pulsar > > > > > > default > > > > > > > > uses > > > > > > > > > > the non-fips version. Switch this is complex, because > > > > > > > > > > the `pulsar-client-messagecrypto-bc` module and root > > project > > > > > > depends > > > > > > > on > > > > > > > > > the > > > > > > > > > > non-fips, so I suggest we switch to fips version from > > > non-fips. > > > > > > > > > > > > > > > > > > > > Reference: > > > > > > > > > > - https://www.bouncycastle.org/ > > > > > > > > > > - https://www.bouncycastle.org/fips_faq.html > > > > > > > > > > - > > > > > > > > > > > > > > > https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > Zixuan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
