I was looking through various Apache Traffic Server posts and noticed that some
FIPS related work was done with Apache Traffic Server (ATS). Was looking for
someone with first hand knowledge of the ATS FIPS status that might have some
time for a few questions...
I am working with one of our product teams on FIPS enablement on a product that
is using Apache Traffic Server. I just completed upgrading our product to pull
in ATS 6.0.0 code base and started working on enabling FIPS mode.
Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as some
changes made via "TS-3576 Remove the need for FIPS locking for OpenSSL".
First question is basically how far has the support for FIPs mode progressed
with ATS?
Follow up question and observation... I had to make local modifications to the
TS-3576 change that was mentioned in a thread regarding
SSL_CTX_add_extra_chain_cert_file() update of FIPS mode. As was mentioned in
the separate e-mail thread the committed code really does nothing as the
FIPS_mode() call simply reads the current state and then the call to
FIPS_mode_set(mode) basically sets OpenSSL to the same state it is already in
(NO-OP).
+#ifdef OPENSSL_FIPS
+ int mode = FIPS_mode();
+ FIPS_mode_set(mode);
+ Debug("ssl", "FIPS_mode: %d", mode);
+#endif
I made a local modification in our repository to basically add a new config
option to records.config and then set the mode based on the config setting.
That got me by the first issue then I hit the next major issue which is that
the Apache Traffic Server code is pretty heavily entrenched in using MD5.
Since MD5 is not FIPS compliant the call to MD5_Init() in the Ink code then
causes a process to crash. I am now looking into the possibility of converting
the existing MD5 references to SHA256 or making a model where it could be
switched between MD5/SHA256 based on the fips_mode setting. Have not really
started digging into this yet as I wanted to first probe the ATS community to
see if this work may have already been started, if there was any position
statement, plan, etc. on moving to a FIPS compliant hash, or if this work was
being avoided for other reasons.
Any input would be greatly appreciated. Likewise if there is a better forum
for posting this question, please let me know.
Thanks,
Craig Schomburg
