trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Call <bc...@apache.org>
Subject Re: FIPS support for ATS
Date Wed, 20 Sep 2017 23:07:07 GMT
From dealing with the FIPS and lock issues before, the motivation was to not handle FIPS locks
do to the performance impact.  That might have changed with OpenSSL 1.1.0 when the locking
issues were resolved.

Backing out the FIPS code in ATS should be all that you need to do and have a FIPS enabled
library.

We have talked about moving from md5 to sha256 before and I would be supportive of that.

-Bryan

> On Sep 20, 2017, at 12:15 PM, Phillip Moore <pdm@pobox.com> wrote:
> 
> Hi,
> 
> Is anyone running ATS in a FIPS* (Federal Information Processing Standard) compliant
setup?  
> 
> I was looking into this and ATS has some code that seems to allow it to call the fips
enable function from openssl but it doesn't work quite right it seems.
> 
> I've patched ATS to force FIPS mode on but ATS fails to start due to MD5 hash functions
no longer being available, and ATS seems to heavily use MD5 internally. 
> 
> As a crazy idea just to see what would happen I basically did s/md5/sha256 in the code
base and was able to make ATS compile and run but it never logged the 'fips enabled' bits,
but it didn't complain about MD5 either. 
> 
> I'm wondering if there was some initial effort for FIPS support that was abandoned, and
what I see in the code now is that remnants.
> 
> Thanks for any comments,
> 
> Phillip Moore
> 
> * https://www.openssl.org/docs/fipsnotes.html <https://www.openssl.org/docs/fipsnotes.html>

Mime
View raw message