Standa Laznicka wrote:
> On 03/14/2017 04:21 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> On 03/14/2017 03:14 PM, Martin Basti wrote:
>>>> On 14.03.2017 14:56, Luc de Louw wrote:
>>>>> My 3 cents...
>>>>>
>>>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>>>
>>>>> -> Does is work in Fedora? Should be worth mention it so people are
>>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Luc
>>>> We cannot guarantee that FIPS mode will work with fedora, any package
>>>> update may break it.
>>> Fedora itself is not capable of running in FIPS mode so there's no point
>>> adding it there.
>> I can't believe this is correct. Did you try it and it failed? Did you
>> file bugs?
> Yes, yes and no. Please see the header at this page:
> https://fedoraproject.org/wiki/FedoraCryptoConsolidation

Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?

> We tried to set up Fedora for FIPS in RHEV but the machine would not
> even start.

Fedora 25 works for me in libvirt.

crypto.fips_enabled is 1.

It is enforcing it too, md5sum fails because FIPS is enabled.

So if it isn't working for you then bugs are required.

rob

>>
>> The dracut-fips and dracut-fips-aesni packages are both available.
>>
>> # cat /etc/redhat-release
>> Fedora release 25 (Twenty Five)
>> # sysctl crypto.fips_enabled
>> crypto.fips_enabled = 0
>>
>> So the basic stuff is there and the kernel knows what FIPS is.
>>
>> Any NSS-based application can enable FIPS-mode independently of the
>> kernel via modutil or application-specific settings (e.g. NSSFIPS in
>> mod_nss).
>>
>> rob
> 
> 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to