> On Dec 24, 2015, at 10:38 AM, Craig Schomburg (craigs) <cra...@cisco.com> > wrote: > > Thanks Brian. > > We just started our investigation of what it will take to FIPS'ify ATS (have > a config option). Also looking into what additional work would be required > to complete this work. We can figure out the best approach and follow > through on the work to get the work reviewed and added to github after we get > a better grasp on the work.
Since ATS is using MD5 for looking up cache objects, not crypto, does FIPS still apply? > More news and likely questions as well to follow. > > Craig S. > > From: Bryan Call <bc...@apache.org<mailto:bc...@apache.org>> > Date: Thursday, December 24, 2015 at 1:32 PM > To: "dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>" > <dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>> > Cc: Craig Schomburg <cra...@cisco.com<mailto:cra...@cisco.com>> > Subject: Re: Question regarding FIPS mode support for Apache Traffic Server > > There is also code that disables locking for FIPS, that was the main part of > TS-3576. If you would like to submit a github pull request to create a > configurable option that would enable FIPS and enable the locking that would > be great. > > I would also be in favor of having a configurable option to use SHA256 > instead of MD5. I don't know of anyone working on these enhancements. > > -Bryan > > > On Dec 23, 2015, at 5:33 AM, Craig Schomburg (craigs) > <cra...@cisco.com<mailto:cra...@cisco.com>> wrote: > > > I was looking through various Apache Traffic Server posts and noticed that > some FIPS related work was done with Apache Traffic Server (ATS). Was > looking for someone with first hand knowledge of the ATS FIPS status that > might have some time for a few questions... > > I am working with one of our product teams on FIPS enablement on a product > that is using Apache Traffic Server. I just completed upgrading our product > to pull in ATS 6.0.0 code base and started working on enabling FIPS mode. > > Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as some > changes made via "TS-3576 Remove the need for FIPS locking for OpenSSL". > > First question is basically how far has the support for FIPs mode progressed > with ATS? > > Follow up question and observation... I had to make local modifications to > the TS-3576 change that was mentioned in a thread regarding > SSL_CTX_add_extra_chain_cert_file() update of FIPS mode. As was mentioned in > the separate e-mail thread the committed code really does nothing as the > FIPS_mode() call simply reads the current state and then the call to > FIPS_mode_set(mode) basically sets OpenSSL to the same state it is already in > (NO-OP). > > +#ifdef OPENSSL_FIPS > + int mode = FIPS_mode(); > + FIPS_mode_set(mode); > + Debug("ssl", "FIPS_mode: %d", mode); > +#endif > > I made a local modification in our repository to basically add a new config > option to records.config and then set the mode based on the config setting. > > That got me by the first issue then I hit the next major issue which is that > the Apache Traffic Server code is pretty heavily entrenched in using MD5. > Since MD5 is not FIPS compliant the call to MD5_Init() in the Ink code then > causes a process to crash. I am now looking into the possibility of > converting the existing MD5 references to SHA256 or making a model where it > could be switched between MD5/SHA256 based on the fips_mode setting. Have > not really started digging into this yet as I wanted to first probe the ATS > community to see if this work may have already been started, if there was any > position statement, plan, etc. on moving to a FIPS compliant hash, or if this > work was being avoided for other reasons. > > Any input would be greatly appreciated. Likewise if there is a better forum > for posting this question, please let me know. > > Thanks, > > Craig Schomburg > >
