trafficserver-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Schomburg (craigs)" <>
Subject Re: Question regarding FIPS mode support for Apache Traffic Server
Date Mon, 04 Jan 2016 00:25:19 GMT

-----Original Message-----
From: James Peach <>
Reply-To: "" <>
Date: Sunday, December 27, 2015 at 8:34 PM
To: "" <>
Cc: Bryan Call <>
Subject: Re: Question regarding FIPS mode support for Apache Traffic Server

>> On Dec 24, 2015, at 10:38 AM, Craig Schomburg (craigs)
>><> wrote:
>> Thanks Brian.
>> We just started our investigation of what it will take to FIPS'ify ATS
>>(have a config option).  Also looking into what additional work would be
>>required to complete this work.  We can figure out the best approach and
>>follow through on the work to get the work reviewed and added to github
>>after we get a better grasp on the work.
>Since ATS is using MD5 for looking up cache objects, not crypto, does
>FIPS still apply?

Good question.  That was one of the questions I had as well.  I was going
to follow up with our internal FIPS experts (folks that handle the FIPS
certifications on our products).  Let me get their take and I will follow
up with the information on this thread for further discussion.

Craig Schomburg

>> More news and likely questions as well to follow.
>> Craig S.
>> From: Bryan Call <<>>
>> Date: Thursday, December 24, 2015 at 1:32 PM
>> To: "<>"
>> Cc: Craig Schomburg <<>>
>> Subject: Re: Question regarding FIPS mode support for Apache Traffic
>> There is also code that disables locking for FIPS, that was the main
>>part of TS-3576.  If you would like to submit a github pull request to
>>create a configurable option that would enable FIPS and enable the
>>locking that would be great.
>> I would also be in favor of having a configurable option to use SHA256
>>instead of MD5.  I don't know of anyone working on these enhancements.
>> -Bryan
>> On Dec 23, 2015, at 5:33 AM, Craig Schomburg (craigs)
>><<>> wrote:
>> I was looking through various Apache Traffic Server posts and noticed
>>that some FIPS related work was done with Apache Traffic Server (ATS).
>>Was looking for someone with first hand knowledge of the ATS FIPS status
>>that might have some time for a few questions...
>> I am working with one of our product teams on FIPS enablement on a
>>product that is using Apache Traffic Server.  I just completed upgrading
>>our product to pull in ATS 6.0.0 code base and started working on
>>enabling FIPS mode.
>> Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as
>>some changes made via "TS-3576 Remove the need for FIPS locking for
>> First question is basically how far has the support for FIPs mode
>>progressed with ATS?
>> Follow up question and observation...  I had to make local
>>modifications to the TS-3576 change that was mentioned in a thread
>>regarding SSL_CTX_add_extra_chain_cert_file() update of FIPS mode.  As
>>was mentioned in the separate e-mail thread the committed code really
>>does nothing as the FIPS_mode() call simply reads the current state and
>>then the call to FIPS_mode_set(mode) basically sets OpenSSL to the same
>>state it is already in (NO-OP).
>> +#ifdef OPENSSL_FIPS
>> +    int mode = FIPS_mode();
>> +    FIPS_mode_set(mode);
>> +    Debug("ssl", "FIPS_mode: %d", mode);
>> +#endif
>> I made a local modification in our repository to basically add a new
>>config option to records.config and then set the mode based on the
>>config setting.
>> That got me by the first issue then I hit the next major issue which is
>>that the Apache Traffic Server code is pretty heavily entrenched in
>>using MD5.  Since MD5 is not FIPS compliant the call to MD5_Init() in
>>the Ink code then causes a process to crash.  I am now looking into the
>>possibility of converting the existing MD5 references to SHA256 or
>>making a model where it could be switched between MD5/SHA256 based on
>>the fips_mode setting.  Have not  really started digging into this yet
>>as I wanted to first probe the ATS community to see if this work may
>>have already been started, if there was any position statement, plan,
>>etc. on moving to a FIPS compliant hash, or if this work was being
>>avoided for other reasons.
>> Any input would be greatly appreciated.  Likewise if there is a better
>>forum for posting this question, please let me know.
>> Thanks,
>> Craig Schomburg

View raw message