Attila Bukor has posted comments on this change. ( http://gerrit.cloudera.org:8080/16658 )
Change subject: Increase key size in tests and EMC ...................................................................... Patch Set 5: (2 comments) http://gerrit.cloudera.org:8080/#/c/16658/3//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/16658/3//COMMIT_MSG@11 PS3, Line 11: This commit removes the test-only key size > Given that the majority of Kudu test runs (pre-commit, benchmarks, etc.) ar Grant and I were discussing more regular, potentially even pre-commit builds on a FIPS-approved Docker environment. In addition to making these tests pass, if we don't use different key sizes in tests, we can flag potential issues in the production code when running the test suite in FIPS-approved mode. Also, I wouldn't compare this to slow tests, this build took 46 minutes which is well within the normal range for the time it takes to run them: http://jenkins.kudu.apache.org/job/kudu-gerrit/buildTimeTrend As for benchmarks, I know it's good to compare them over time, but I also believe that they should be as close to reality as they can be, and choosing a small key size isn't realistic. http://gerrit.cloudera.org:8080/#/c/16658/4//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/16658/4//COMMIT_MSG@10 PS4, Line 10: these tests > In addition to these tests, did you try to run Java tests as well? I remem I did, all tests passed even with this added to tests.gradle: jvmArgs += "-Dcom.safelogic.cryptocomply.fips.approved_only=true" jvmArgs += "-Djdk.tls.ephemeralDHKeySize=2048" The only security-related tweaks I found in MiniKuduCluster are these: Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2, RC4, MD5"); Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3, RC4, MD5"); https://github.com/apache/kudu/blob/master/java/kudu-test-utils/src/main/java/org/apache/kudu/test/cluster/MiniKuduCluster.java#L150-L151 This is disabling insecure algorithms only, so it should be fine for FIPS 140-2. -- To view, visit http://gerrit.cloudera.org:8080/16658 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I45b96e0b4499ea1d80db5871a529c732ad41220e Gerrit-Change-Number: 16658 Gerrit-PatchSet: 5 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Reviewer: Wenzhe Zhou <[email protected]> Gerrit-Comment-Date: Wed, 28 Oct 2020 14:01:04 +0000 Gerrit-HasComments: Yes
