Standa Laznicka wrote: > On 03/14/2017 04:21 PM, Rob Crittenden wrote: >> Standa Laznicka wrote: >>> On 03/14/2017 03:14 PM, Martin Basti wrote: >>>> On 14.03.2017 14:56, Luc de Louw wrote: >>>>> My 3 cents... >>>>> >>>>> "Please note that FIPS 140-2 support may not work on some platforms" >>>>> >>>>> -> Does is work in Fedora? Should be worth mention it so people are >>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4 >>>>> >>>>> Thanks, >>>>> >>>>> Luc >>>> We cannot guarantee that FIPS mode will work with fedora, any package >>>> update may break it. >>> Fedora itself is not capable of running in FIPS mode so there's no point >>> adding it there. >> I can't believe this is correct. Did you try it and it failed? Did you >> file bugs? > Yes, yes and no. Please see the header at this page: > https://fedoraproject.org/wiki/FedoraCryptoConsolidation
Um, ok? What do shared certs and centralized crypto policies have to do with FIPS not working in Fedora? > We tried to set up Fedora for FIPS in RHEV but the machine would not > even start. Fedora 25 works for me in libvirt. crypto.fips_enabled is 1. It is enforcing it too, md5sum fails because FIPS is enabled. So if it isn't working for you then bugs are required. rob >> >> The dracut-fips and dracut-fips-aesni packages are both available. >> >> # cat /etc/redhat-release >> Fedora release 25 (Twenty Five) >> # sysctl crypto.fips_enabled >> crypto.fips_enabled = 0 >> >> So the basic stuff is there and the kernel knows what FIPS is. >> >> Any NSS-based application can enable FIPS-mode independently of the >> kernel via modutil or application-specific settings (e.g. NSSFIPS in >> mod_nss). >> >> rob > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
