There is also code that disables locking for FIPS, that was the main part of
TS-3576. If you would like to submit a github pull request to create a
configurable option that would enable FIPS and enable the locking that would be
great.
I would also be in favor of having a configurable option to use SHA256 instead
of MD5. I don’t know of anyone working on these enhancements.
-Bryan
> On Dec 23, 2015, at 5:33 AM, Craig Schomburg (craigs) <cra...@cisco.com>
> wrote:
>
>
> I was looking through various Apache Traffic Server posts and noticed that
> some FIPS related work was done with Apache Traffic Server (ATS). Was
> looking for someone with first hand knowledge of the ATS FIPS status that
> might have some time for a few questions...
>
> I am working with one of our product teams on FIPS enablement on a product
> that is using Apache Traffic Server. I just completed upgrading our product
> to pull in ATS 6.0.0 code base and started working on enabling FIPS mode.
>
> Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as some
> changes made via "TS-3576 Remove the need for FIPS locking for OpenSSL".
>
> First question is basically how far has the support for FIPs mode progressed
> with ATS?
>
> Follow up question and observation... I had to make local modifications to
> the TS-3576 change that was mentioned in a thread regarding
> SSL_CTX_add_extra_chain_cert_file() update of FIPS mode. As was mentioned in
> the separate e-mail thread the committed code really does nothing as the
> FIPS_mode() call simply reads the current state and then the call to
> FIPS_mode_set(mode) basically sets OpenSSL to the same state it is already in
> (NO-OP).
>
> +#ifdef OPENSSL_FIPS
> + int mode = FIPS_mode();
> + FIPS_mode_set(mode);
> + Debug("ssl", "FIPS_mode: %d", mode);
> +#endif
>
> I made a local modification in our repository to basically add a new config
> option to records.config and then set the mode based on the config setting.
>
> That got me by the first issue then I hit the next major issue which is that
> the Apache Traffic Server code is pretty heavily entrenched in using MD5.
> Since MD5 is not FIPS compliant the call to MD5_Init() in the Ink code then
> causes a process to crash. I am now looking into the possibility of
> converting the existing MD5 references to SHA256 or making a model where it
> could be switched between MD5/SHA256 based on the fips_mode setting. Have
> not really started digging into this yet as I wanted to first probe the ATS
> community to see if this work may have already been started, if there was any
> position statement, plan, etc. on moving to a FIPS compliant hash, or if this
> work was being avoided for other reasons.
>
> Any input would be greatly appreciated. Likewise if there is a better forum
> for posting this question, please let me know.
>
> Thanks,
>
> Craig Schomburg
>
