Alexey Serbin has posted comments on this change. ( http://gerrit.cloudera.org:8080/16658 )
Change subject: KUDU-3210 Increase key size in tests and EMC ...................................................................... Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/16658/3/src/kudu/mini-cluster/external_mini_cluster.cc File src/kudu/mini-cluster/external_mini_cluster.cc: http://gerrit.cloudera.org:8080/#/c/16658/3/src/kudu/mini-cluster/external_mini_cluster.cc@a990 PS3, Line 990: > Hm interesting. I'm not sure to be honest. It was definitely necessary to c Yep, it would be great if you could verify how this patch works on CentOS 8. Last time I ran the whole set of tests on CentOS 8.1 a few month ago it passed. Unfortunately, I don't have a machine with CentOS 8.1 anymore. Maybe, we could try to leave the override for security level even with FIPS-enabled library? BTW, I tried to run a few unit tests under OpenSSL 1.0.2k-fips 26 Jan 2017 on CentOS 7.4 with FIPS mode enabled. Indeed, 1024 bit RSA keys are accepted there. However, 512 and 768 bit keys were rejected with the `key too short` error. So, indeed: even if the declared minimum is 2048 bits for RSA keys in FIPS 140-2, 1024 bit keys are considered OK, at least for signature generation and verification. And that matches the information in section '9.2.2. RSA and DSA keys' of this document: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2564.pdf : The Module allows the use of 1024 bit RSA and DSA keys for legacy purposes, including signature generation. [ RUN ] CertManagementTest.SignerInitWithMismatchedCertAndKey [1557/1903] WARNING: Logging before InitGoogleLogging() is written to STDERR F1030 15:46:34.131778 455785 cert_management-test.cc:75] Check failed: _s.ok() Bad status: Runtime e rror: error generating RSA key: error:2D07406C:FIPS routines:RSA_BUILTIN_KEYGEN:key too short:rsa_ge n.c:438 -- To view, visit http://gerrit.cloudera.org:8080/16658 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I45b96e0b4499ea1d80db5871a529c732ad41220e Gerrit-Change-Number: 16658 Gerrit-PatchSet: 3 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Grant Henke <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Reviewer: Wenzhe Zhou <[email protected]> Gerrit-Comment-Date: Fri, 30 Oct 2020 23:18:31 +0000 Gerrit-HasComments: Yes
