All:
I recently was tasked with building and implementing Ceph in an
environment where FIPS cryptography is strictly enforced. As such, I ran into
several issues regarding Ceph's use of low-level cryptographic functions since
those are strictly forbidden when OpenSSL is in FIPS mode. The obvious
solution is to migrate away from the low level crypto functions and over to
OpenSSL's EVP API, which I wrongly assumed would be a huge undertaking. As it
turns out, low level crypto functions are only used in a handful of places and
the work to migrate away has already been completed in the following PRs:
https://github.com/ceph/ceph/pull/23260
https://github.com/ceph/ceph/pull/32675
The latter looks like will be merged in for the Pacific release, but the former
appears to have been abandoned. The perception is that these pulls are only
related to performance improvements, but they also solve the corner case of
running Ceph in a FIPS-enforced environment. Anecdotally, I rebased the two
pulls on the latest stable Octopus release, 15.2.7, and have a cluster up and
running with no issues as far as I can tell in a FIPS-enforced environment.
Are there any thoughts about reopening PR#23260 and updating both PRs to notate
that they also resolve FIPS compatibility issues?
Thanks,
--
Kenneth Van Alstyne
Systems Architect
M: 804.240.2327
14291 Park Meadow Drive, Chantilly, VA 20151
perspecta
_______________________________________________
ceph-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
