I'm, too, am very interested in this particular discussion and working
towards getting OpenStack working out-of-the-box on FIPS systems. I've
submitted a few patches
( recently
and plan on going down my laundry list of patches I've made while
deploying Red Hat OpenStack 10 (Newton), 13 (Queens), and community
master on "FIPS mode" RHEL 7 servers.

I've seen a lot of debate in other communities on how to approach the
subject ranging from full MD5-to-SHAx transitions to putting in
FIPS-aware logic to decide hashes based on the system to just deciding
that the hashes aren't used for real security and thus are "mostly OK"
by FIPS 140-2 standards (resulting in awkward distro-specific versions
of popular crypto libraries with built-in FIPS awareness). Personally,
I've been more in favor of a sweeping MD5-to-SHAx transition due to
popular crypto libraries (OpenSSL, hashlib, NSS) indiscriminately
disabling MD5 hash methods on FIPS mode systems. With SHA-1 collisions
already happening, I imagine it will meet the FIPS banhammer in the
not-so-distant future which is why I have generally been recommending
SHA-256 as an MD5 replacement, despite the larger output size (mostly
an issue for fixed-sized database columns).

There is definite pressure being put on some entities (commercial as
well as government / DoD) to move core systems to FIPS mode and
auditors are looking more and more closely at this particular subject
and requiring strong justification for not meeting FIPS compliance on
systems both at the hardware and software levels.

OpenStack Development Mailing List (not for usage questions)

Reply via email to