Sean, I'm, too, am very interested in this particular discussion and working towards getting OpenStack working out-of-the-box on FIPS systems. I've submitted a few patches (https://review.openstack.org/#/q/owner:%22Joshua+Cornutt%22) recently and plan on going down my laundry list of patches I've made while deploying Red Hat OpenStack 10 (Newton), 13 (Queens), and community master on "FIPS mode" RHEL 7 servers.
I've seen a lot of debate in other communities on how to approach the subject ranging from full MD5-to-SHAx transitions to putting in FIPS-aware logic to decide hashes based on the system to just deciding that the hashes aren't used for real security and thus are "mostly OK" by FIPS 140-2 standards (resulting in awkward distro-specific versions of popular crypto libraries with built-in FIPS awareness). Personally, I've been more in favor of a sweeping MD5-to-SHAx transition due to popular crypto libraries (OpenSSL, hashlib, NSS) indiscriminately disabling MD5 hash methods on FIPS mode systems. With SHA-1 collisions already happening, I imagine it will meet the FIPS banhammer in the not-so-distant future which is why I have generally been recommending SHA-256 as an MD5 replacement, despite the larger output size (mostly an issue for fixed-sized database columns). There is definite pressure being put on some entities (commercial as well as government / DoD) to move core systems to FIPS mode and auditors are looking more and more closely at this particular subject and requiring strong justification for not meeting FIPS compliance on systems both at the hardware and software levels. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev