Thanks Brian. We just started our investigation of what it will take to FIPS'ify ATS (have a config option). Also looking into what additional work would be required to complete this work. We can figure out the best approach and follow through on the work to get the work reviewed and added to github after we get a better grasp on the work.
More news and likely questions as well to follow. Craig S. From: Bryan Call <bc...@apache.org<mailto:bc...@apache.org>> Date: Thursday, December 24, 2015 at 1:32 PM To: "dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>" <dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>> Cc: Craig Schomburg <cra...@cisco.com<mailto:cra...@cisco.com>> Subject: Re: Question regarding FIPS mode support for Apache Traffic Server There is also code that disables locking for FIPS, that was the main part of TS-3576. If you would like to submit a github pull request to create a configurable option that would enable FIPS and enable the locking that would be great. I would also be in favor of having a configurable option to use SHA256 instead of MD5. I don't know of anyone working on these enhancements. -Bryan On Dec 23, 2015, at 5:33 AM, Craig Schomburg (craigs) <cra...@cisco.com<mailto:cra...@cisco.com>> wrote: I was looking through various Apache Traffic Server posts and noticed that some FIPS related work was done with Apache Traffic Server (ATS). Was looking for someone with first hand knowledge of the ATS FIPS status that might have some time for a few questions... I am working with one of our product teams on FIPS enablement on a product that is using Apache Traffic Server. I just completed upgrading our product to pull in ATS 6.0.0 code base and started working on enabling FIPS mode. Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as some changes made via "TS-3576 Remove the need for FIPS locking for OpenSSL". First question is basically how far has the support for FIPs mode progressed with ATS? Follow up question and observation... I had to make local modifications to the TS-3576 change that was mentioned in a thread regarding SSL_CTX_add_extra_chain_cert_file() update of FIPS mode. As was mentioned in the separate e-mail thread the committed code really does nothing as the FIPS_mode() call simply reads the current state and then the call to FIPS_mode_set(mode) basically sets OpenSSL to the same state it is already in (NO-OP). +#ifdef OPENSSL_FIPS + int mode = FIPS_mode(); + FIPS_mode_set(mode); + Debug("ssl", "FIPS_mode: %d", mode); +#endif I made a local modification in our repository to basically add a new config option to records.config and then set the mode based on the config setting. That got me by the first issue then I hit the next major issue which is that the Apache Traffic Server code is pretty heavily entrenched in using MD5. Since MD5 is not FIPS compliant the call to MD5_Init() in the Ink code then causes a process to crash. I am now looking into the possibility of converting the existing MD5 references to SHA256 or making a model where it could be switched between MD5/SHA256 based on the fips_mode setting. Have not really started digging into this yet as I wanted to first probe the ATS community to see if this work may have already been started, if there was any position statement, plan, etc. on moving to a FIPS compliant hash, or if this work was being avoided for other reasons. Any input would be greatly appreciated. Likewise if there is a better forum for posting this question, please let me know. Thanks, Craig Schomburg
