> I think it'll require a bit more patching than just that. What about > all the plugins and Jenkins core code that requests non-FIPS > algorithms? For example, MD5 is still used for some non-security > features, and I wouldn't expect that to be available in a > FIPS-compliant JCE provider.
As I know MD5 still can be used for not-security features. I'm sure that issue is more complex than removing JKS and add a security provider. But this is a prerequisite for FIPS support. Suggested changes will allow to run Jenkins with BouncyCastleFipsProvider, find unapproved algorithms in Jenkins Core and plugins. After that maintainers can find other issues with FIPS and decide to support FIPS mode or not. Thanks, Ilya Gulyaev пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, [email protected]: > I think it'll require a bit more patching than just that. What about > all the plugins and Jenkins core code that requests non-FIPS > algorithms? For example, MD5 is still used for some non-security > features, and I wouldn't expect that to be available in a > FIPS-compliant JCE provider. > > On the other hand, I'd hope that their JSSE stuff for TLS connections > works fairly transparently which would at least cover the HTTPS and > some Remoting connections. > > On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[email protected]> wrote: > > > > Hi all, > > I want to add support of FIPS 140-2 to Jenkins Core and some plugins. > > > > BouncyCastle Security provider used in Jenkins has FIPS version. > > https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf > > > https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf > > > https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf > > > > I've tried to run Jenkins with BouncyCastleFipsProvider and found some > blockers: > > > > Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS) > > > > https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code > > Suggested solution: > > Change > > KeyStore.getInstance("JKS"); > > to > > KeyStore.getInstance(KeyStore.getDefaultType()); > > > > Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already > used, because BouncyCastleProvider contains algorithms, that can't be used > in FIPS mode. > > > > > https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code > > > It can be 2 solutions: > > 1. Check already used providers and don't add new if BouncyCastle(BC) or > BouncyCastleFIPS(BCFIPS) already used. > > Example: > > if (Security.getProvider("BC") == null && > Security.getProvider("BCFIPS")) { > > Security.addProvider(new > org.bouncycastle.jce.provider.BouncyCastleProvider()); > > } > > 2. Add the flag for FIPS mode, which should be used in plugins > > Example: > > if (isFipsMode()) { > > Security.addProvider(new > org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider()); > > } else { > > Security.addProvider(new > org.bouncycastle.jce.provider.BouncyCastleProvider()); > > } > > > > What do you think about that change? What you can suggest? > > I can do pull requests for projects used in my Jenkins installation and > will be happy if someone will help with other projects. > > > > -- > > You received this message because you are subscribed to the Google > Groups "Jenkins Developers" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com. > > > > > > -- > Matt Sicker > Senior Software Engineer, CloudBees > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/64db0947-275e-4ab3-8f4d-2234b46c246an%40googlegroups.com.
