-----Original Message----- From: James Peach <jpe...@apache.org> Reply-To: "dev@trafficserver.apache.org" <dev@trafficserver.apache.org> Date: Sunday, December 27, 2015 at 8:34 PM To: "dev@trafficserver.apache.org" <dev@trafficserver.apache.org> Cc: Bryan Call <bc...@apache.org> Subject: Re: Question regarding FIPS mode support for Apache Traffic Server
> >> On Dec 24, 2015, at 10:38 AM, Craig Schomburg (craigs) >><cra...@cisco.com> wrote: >> >> Thanks Brian. >> >> We just started our investigation of what it will take to FIPS'ify ATS >>(have a config option). Also looking into what additional work would be >>required to complete this work. We can figure out the best approach and >>follow through on the work to get the work reviewed and added to github >>after we get a better grasp on the work. > >Since ATS is using MD5 for looking up cache objects, not crypto, does >FIPS still apply? Good question. That was one of the questions I had as well. I was going to follow up with our internal FIPS experts (folks that handle the FIPS certifications on our products). Let me get their take and I will follow up with the information on this thread for further discussion. Craig Schomburg > >> More news and likely questions as well to follow. >> >> Craig S. >> >> From: Bryan Call <bc...@apache.org<mailto:bc...@apache.org>> >> Date: Thursday, December 24, 2015 at 1:32 PM >> To: "dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>" >><dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>> >> Cc: Craig Schomburg <cra...@cisco.com<mailto:cra...@cisco.com>> >> Subject: Re: Question regarding FIPS mode support for Apache Traffic >>Server >> >> There is also code that disables locking for FIPS, that was the main >>part of TS-3576. If you would like to submit a github pull request to >>create a configurable option that would enable FIPS and enable the >>locking that would be great. >> >> I would also be in favor of having a configurable option to use SHA256 >>instead of MD5. I don't know of anyone working on these enhancements. >> >> -Bryan >> >> >> On Dec 23, 2015, at 5:33 AM, Craig Schomburg (craigs) >><cra...@cisco.com<mailto:cra...@cisco.com>> wrote: >> >> >> I was looking through various Apache Traffic Server posts and noticed >>that some FIPS related work was done with Apache Traffic Server (ATS). >>Was looking for someone with first hand knowledge of the ATS FIPS status >>that might have some time for a few questions... >> >> I am working with one of our product teams on FIPS enablement on a >>product that is using Apache Traffic Server. I just completed upgrading >>our product to pull in ATS 6.0.0 code base and started working on >>enabling FIPS mode. >> >> Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as >>some changes made via "TS-3576 Remove the need for FIPS locking for >>OpenSSL". >> >> First question is basically how far has the support for FIPs mode >>progressed with ATS? >> >> Follow up question and observation... I had to make local >>modifications to the TS-3576 change that was mentioned in a thread >>regarding SSL_CTX_add_extra_chain_cert_file() update of FIPS mode. As >>was mentioned in the separate e-mail thread the committed code really >>does nothing as the FIPS_mode() call simply reads the current state and >>then the call to FIPS_mode_set(mode) basically sets OpenSSL to the same >>state it is already in (NO-OP). >> >> +#ifdef OPENSSL_FIPS >> + int mode = FIPS_mode(); >> + FIPS_mode_set(mode); >> + Debug("ssl", "FIPS_mode: %d", mode); >> +#endif >> >> I made a local modification in our repository to basically add a new >>config option to records.config and then set the mode based on the >>config setting. >> >> That got me by the first issue then I hit the next major issue which is >>that the Apache Traffic Server code is pretty heavily entrenched in >>using MD5. Since MD5 is not FIPS compliant the call to MD5_Init() in >>the Ink code then causes a process to crash. I am now looking into the >>possibility of converting the existing MD5 references to SHA256 or >>making a model where it could be switched between MD5/SHA256 based on >>the fips_mode setting. Have not really started digging into this yet >>as I wanted to first probe the ATS community to see if this work may >>have already been started, if there was any position statement, plan, >>etc. on moving to a FIPS compliant hash, or if this work was being >>avoided for other reasons. >> >> Any input would be greatly appreciated. Likewise if there is a better >>forum for posting this question, please let me know. >> >> Thanks, >> >> Craig Schomburg >> >> >
