trafficserver-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Schomburg (craigs)" <cra...@cisco.com>
Subject Re: Question regarding FIPS mode support for Apache Traffic Server
Date Mon, 04 Jan 2016 00:25:19 GMT


-----Original Message-----
From: James Peach <jpeach@apache.org>
Reply-To: "dev@trafficserver.apache.org" <dev@trafficserver.apache.org>
Date: Sunday, December 27, 2015 at 8:34 PM
To: "dev@trafficserver.apache.org" <dev@trafficserver.apache.org>
Cc: Bryan Call <bcall@apache.org>
Subject: Re: Question regarding FIPS mode support for Apache Traffic Server

>
>> On Dec 24, 2015, at 10:38 AM, Craig Schomburg (craigs)
>><craigs@cisco.com> wrote:
>> 
>> Thanks Brian.
>> 
>> We just started our investigation of what it will take to FIPS'ify ATS
>>(have a config option).  Also looking into what additional work would be
>>required to complete this work.  We can figure out the best approach and
>>follow through on the work to get the work reviewed and added to github
>>after we get a better grasp on the work.
>
>Since ATS is using MD5 for looking up cache objects, not crypto, does
>FIPS still apply?

Good question.  That was one of the questions I had as well.  I was going
to follow up with our internal FIPS experts (folks that handle the FIPS
certifications on our products).  Let me get their take and I will follow
up with the information on this thread for further discussion.

Craig Schomburg

>
>> More news and likely questions as well to follow.
>> 
>> Craig S.
>> 
>> From: Bryan Call <bcall@apache.org<mailto:bcall@apache.org>>
>> Date: Thursday, December 24, 2015 at 1:32 PM
>> To: "dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>"
>><dev@trafficserver.apache.org<mailto:dev@trafficserver.apache.org>>
>> Cc: Craig Schomburg <craigs@cisco.com<mailto:craigs@cisco.com>>
>> Subject: Re: Question regarding FIPS mode support for Apache Traffic
>>Server
>> 
>> There is also code that disables locking for FIPS, that was the main
>>part of TS-3576.  If you would like to submit a github pull request to
>>create a configurable option that would enable FIPS and enable the
>>locking that would be great.
>> 
>> I would also be in favor of having a configurable option to use SHA256
>>instead of MD5.  I don't know of anyone working on these enhancements.
>> 
>> -Bryan
>> 
>> 
>> On Dec 23, 2015, at 5:33 AM, Craig Schomburg (craigs)
>><craigs@cisco.com<mailto:craigs@cisco.com>> wrote:
>> 
>> 
>> I was looking through various Apache Traffic Server posts and noticed
>>that some FIPS related work was done with Apache Traffic Server (ATS).
>>Was looking for someone with first hand knowledge of the ATS FIPS status
>>that might have some time for a few questions...
>> 
>> I am working with one of our product teams on FIPS enablement on a
>>product that is using Apache Traffic Server.  I just completed upgrading
>>our product to pull in ATS 6.0.0 code base and started working on
>>enabling FIPS mode.
>> 
>> Had a few questions pertaining to FIPS support on ATS 6.0.0 as well as
>>some changes made via "TS-3576 Remove the need for FIPS locking for
>>OpenSSL".
>> 
>> First question is basically how far has the support for FIPs mode
>>progressed with ATS?
>> 
>> Follow up question and observation...  I had to make local
>>modifications to the TS-3576 change that was mentioned in a thread
>>regarding SSL_CTX_add_extra_chain_cert_file() update of FIPS mode.  As
>>was mentioned in the separate e-mail thread the committed code really
>>does nothing as the FIPS_mode() call simply reads the current state and
>>then the call to FIPS_mode_set(mode) basically sets OpenSSL to the same
>>state it is already in (NO-OP).
>> 
>> +#ifdef OPENSSL_FIPS
>> +    int mode = FIPS_mode();
>> +    FIPS_mode_set(mode);
>> +    Debug("ssl", "FIPS_mode: %d", mode);
>> +#endif
>> 
>> I made a local modification in our repository to basically add a new
>>config option to records.config and then set the mode based on the
>>config setting.
>> 
>> That got me by the first issue then I hit the next major issue which is
>>that the Apache Traffic Server code is pretty heavily entrenched in
>>using MD5.  Since MD5 is not FIPS compliant the call to MD5_Init() in
>>the Ink code then causes a process to crash.  I am now looking into the
>>possibility of converting the existing MD5 references to SHA256 or
>>making a model where it could be switched between MD5/SHA256 based on
>>the fips_mode setting.  Have not  really started digging into this yet
>>as I wanted to first probe the ATS community to see if this work may
>>have already been started, if there was any position statement, plan,
>>etc. on moving to a FIPS compliant hash, or if this work was being
>>avoided for other reasons.
>> 
>> Any input would be greatly appreciated.  Likewise if there is a better
>>forum for posting this question, please let me know.
>> 
>> Thanks,
>> 
>> Craig Schomburg
>> 
>> 
>


Mime
View raw message