Sean McGinnis <sean.mcgin...@gmx.com> writes: > I'm interested in some feedback from the community, particularly those running > OpenStack deployments, as to whether FIPS compliance [0][1] is something folks > are looking for. > > I've been seeing small changes starting to be proposed here and there for > things like MD5 usage related to its incompatibility to FIPS mode. But looking > across a wider stripe of our repos, it appears like it would be a wider effort > to be able to get all OpenStack services compatible with FIPS mode. > > This should be a fairly easy thing to test, but before we put in much effort > into updating code and figuring out testing, I'd like to see some input on > whether something like this is needed. > > Thanks for any input on this. > > Sean > > [0] https://en.wikipedia.org/wiki/FIPS_140-2 > [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
I know we've had some interest in it at different times. I think some of the changes will end up being backwards-incompatible, so we may need a "FIPS-mode" configuration flag for those, but in other places we could just switch hashing algorithms and be fine. I'm not sure if anyone has put together the details of what would be needed to update each project, but this feels like it could be a candidate for a goal for a future cycle once we have that information and can assess the level of effort. Doug _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
