Standa Laznicka wrote:
> On 03/14/2017 04:21 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> On 03/14/2017 03:14 PM, Martin Basti wrote:
>>>> On 14.03.2017 14:56, Luc de Louw wrote:
>>>>> My 3 cents...
>>>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>>> -> Does is work in Fedora? Should be worth mention it so people are
>>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>>> Thanks,
>>>>> Luc
>>>> We cannot guarantee that FIPS mode will work with fedora, any package
>>>> update may break it.
>>> Fedora itself is not capable of running in FIPS mode so there's no point
>>> adding it there.
>> I can't believe this is correct. Did you try it and it failed? Did you
>> file bugs?
> Yes, yes and no. Please see the header at this page:

Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?

> We tried to set up Fedora for FIPS in RHEV but the machine would not
> even start.

Fedora 25 works for me in libvirt.

crypto.fips_enabled is 1.

It is enforcing it too, md5sum fails because FIPS is enabled.

So if it isn't working for you then bugs are required.


>> The dracut-fips and dracut-fips-aesni packages are both available.
>> # cat /etc/redhat-release
>> Fedora release 25 (Twenty Five)
>> # sysctl crypto.fips_enabled
>> crypto.fips_enabled = 0
>> So the basic stuff is there and the kernel knows what FIPS is.
>> Any NSS-based application can enable FIPS-mode independently of the
>> kernel via modutil or application-specific settings (e.g. NSSFIPS in
>> mod_nss).
>> rob

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to