Thanks a lot Philip Guenther Absolute needful Info to all.
Regards, Vijay Kumar On Tue, Jun 16, 2020 at 1:43 PM Marc Roos <[email protected]> wrote: > > Thanks for this clear insight! > > > -----Original Message----- > To: Scott Classen > Cc: Vijay Kumar; [email protected] > Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance > on FIPS 140.2 > > On Mon, 15 Jun 2020, Scott Classen wrote: > > Did you build the OpenLDAP binary from source or are you using a > > binary distribution from somewhere? Like Quanah already stated, you > > need to determine if the version of OpenSSL you linked against is FIPS > > > compliant. The FIPS designation has nothing to do with OpenLDAP per > se. > > > > e.g. on my CentOS distro I can type > > > > # openssl version > > OpenSSL 1.0.2k-fips 26 Jan 2017 > > > > And it lets me know that OpenSSL is FIPS compliment. Then if I build > > OpenLDAP using the openssl libraries provided with my distro then I’m > > > assuming it would then inherit some of this FIP-ness. > > Simply _using_ that library is not nearly enough to pass any sort of > compliance check. Here's a session using a similar library (CentOS > 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant > cipher > suite: > > $ openssl version > OpenSSL 1.0.2k-fips 26 Jan 2017 > $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] > 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet > foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 > -nocert -quiet ^C $ > > > First, you have to actually tell the library to go into FIPS mode. The > CLI 'openssl' tool will do that when the OPENSSL_FIPS environment > variable is set and I seem to recall that the system openssl libs on > RedHat systems (don't remember if it carried over to CentOS) would do so > if a kernel parameter was set, but in general applications using libssl > and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode > themselves. > Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your > system libcrypto has something external to force FIPS mode *and your're > using it*, OpenLDAP will _not_ be using the library in FIPS mode. > > > Furthermore, is that build of openssl still covered by a valid FIPS > certificate? "It's a build of sources for which some build has had a > FIPS certificate issued" is cute verbiage and there are many people that > only care about that: verbiage so they can check a unclearly specified > box on their documents. Not a bad option if that's all your customers > expect and all you sell/promise, given that FIPS mode is not strictly > beneficial with the difficulty it creates for fixing bugs in crypto > implementations, including--historically--in openssl's code base. > > While some customers will find that sufficient to check a box on their > documents, it ain't going to make real FIPS compliance people (U.S. > government agencies) blink before ignoring it. If you're going to have > a compliance audit from such a group, with scheduled followups and > 30/60/90 day remediation requirements, then no, stock openldap on stock > centos, for example, will not get you there. > > > Philip Guenther > > > -- Thanks & Regards, Vijay Kumar *+91-94944 44009*
