Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Kenn Hussey updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Kenn Hussey Release Notes: Not Needed Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Josh Cooper commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Jayant Sane What's the current status? Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Josh Cooper Team: Security Platform Core Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Managed to get past that after adjusting some setup scripts to bump up openssl versions when running on RHEL (the specific patch revision on RHEL images we use causes failures when running agent). Though there still are some other unrelated hiccups in our CI past. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Thanks. That is good news as well as interesting. I have stumbled upon some strange failures when attempting to use PA on RHEL 7 which was built on Centos 7 (against system openssl). This was w/o even enabling FIPS mode. I looked at some plausible reasons but nothing obvious turns up. Both centos7 and rhel7 have 1.0.1e version of system openssl libs. Based on the failures the behavior appears to originate from ruby (openssl.so) and libcurl.so. I wrote a test C application using openssl to do somethings on SSL context, including generating rsa keys etc. Followed same sequence as above - compiled on centos7 and executed on rhel7. It works fine and so does vice versa - compiled on rhel7 and executed on centos7. Even if I figure out the exact cause in the above suspect components, I would be concerned if we might see any such or unexpected behaviors down the line across different versions of openssl and/or platforms. Not to mention the maintenance overhead it might introduce as we may need to maintain 'fixed' versions of ruby and/or curl. One obvious/logical workaround for the above issue seemed like - compile PA on RHEL when targeting RHEL. I tried that but it actually gets worse. Installing openssl development package on RHEL bumps the versions of system openssl libraries. It moved from 1.0.1e to 1.0.2k. Since only only minor version changed, thought it might not been that bad - all relevant PA, including ruby, curl etc., binaries link against libssl.so.10 & libcrypto.so.10 (SONAMEs). But despite that openssl.so (ruby) and libcurl.so.xxx latch to version 1.0.2 of openssl libs. So now if you attempt to use the PA compiled on RHEL7 on another RHEL 7 system w/o openssl development package installed, it would not work since the openssl libs version would be still at 1.0.1e. All said, though, since it seems to work for you (PA compiled on Centos runs on RHEL), I wonder if there is any difference across the RHEL images you use compared to what we use. I think I just answered myself: I tried using Centos7 compiled PA on a RHEL7 that was provisioned on different infrastructure (openstack). That seems to work fine - at least the specific failure seen above is not seen. Encouraging it sounds but also worrisome as it just could be one of those waiting to fail type of issues depending on what our customers might have. I would also like to request you to test Puppet agent 5.x to see if it still works in case there is anything different from PA 4.x that you have (though it just might be a data point w/o necessarily providing anything helpful to triage it). This is not urgent now that I may be able to do some testing using the 'right kind' of RHEL systems Add Comment
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Trevor Vaughan commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Jayant Sane RHEL and CentOS 6 and 7. I really need to be able to change the hash algorithms from the central config file. Different customers have had different requirements for their algorithms and it's something that's supported by the underlying code, just not exposed as a configuration option. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Trevor Vaughan Q: Which platform & version specifically did you test the system openssl linked agent on? Like centos, redhat, ?? thx Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Trevor Vaughan commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Jayant Sane We did test against a system that was FIPS enabled so from me. We do need to make sure that SHA-384 is supported though, which is what I think you are referring to. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Trevor, My turn to apologize for the delay. Thanks for testing it. Am assuming that being the case but wanted to confirm whether your testing was done on systems in FIPs mode. And unless this included all the testing you typically do, for FIPS, pl let us know as/when you get that done. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Trevor Vaughan commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Jayant Sane Apologies for not getting back to you on this sooner. We tested your build and it DOES work. We had no issues, and we did validate that it was properly linked against the OS libraries. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Jayant Sane Team: Platform Core Security Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Trevor Vaughan I managed to generate PA AIO built against system openssl libs. However have not done the two adjustments to use SHA and adjusting key lengths yet. I have not tested this package (beside using the hacky ways I did earlier) but plan to check it soon. I would like to check out simp-beaker but an not familiar (am relatively newcomer even to beaker). Could you share your email address? Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library When would this be like in any upcoming sprint planning meeting? I did some testing, in some hacky way and was/am looking into adjusting openssl builds that can/will allow us to test PA against any system installed openssl more easily. I have not had much luck with it yet but plan to try more things. Though any additional help would be welcome if anyone is more familiar with it. thanks Jayant On Wed, Jun 21, 2017 at 1:39 PM, Geoff Nichols (JIRA) < Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Geoff Nichols Sprint: Agent Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library After some poking around I tend to agree with you above that it would be easier to compile our OpenSSL, or rather necessary as I found out, to support FIPS. I had kind of anticipated this issue earlier of course not knowing the below then... That is because we are not following correct convention of using proper SONAMEs for the openssl libs that the various PA components link against ==> creates hard dependencies on the exact version of the lib even if another ABI compatible version of the relevant libs exist on the system. Ironically we do create symlinks libcrypto.so --> libcrypto.so.1.0.0 which of course are useless. As it happened on the centos7 I was playing on, the system installed openssl libs had different minor versions and PA components would not "move over" easily to these system versions. I will be creating new tickets to have this addressed. I tried a bad/quick hack of creating copies of the system versions of the relevant libs with exact same names as those of puppet versions. And while some preliminary quick checks passed ok but my beaker run of acceptance tests mysteriously hung somewhere and when I killed the process it took away the log file that I was recording Will attempt it again to see if I have any better luck. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Josh Cooper Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Trevor Vaughan commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library The easiest test here is to just compile your internal OpenSSL to support FIPS and then enable your system in FIPS mode. If you provide us with a location for updated RPMs, the simp-core project has a full-stack test that we can run in FIPS mode via Beaker. Having run pre-AIO Puppet in FIPS environments for years, the two items that you will need to address are: Default key lengths. You really need a fips_enabled default fact but, since you killed my request on that one, you can use simplib to pick it up. The key lengths that are allowed are 2048, 3072, and 15360. We've been sticking with 2048 for the best cross-system compatibility, but we may transition to 15360 if it works (may not be in the validated usage profile). 3072 has worked in preliminary tests. Checksums. We switched everything to using SHA hashes across the board and have not had any issues. Even including MD5 will cause your application to crash. Happy to help test viable configurations. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Geoff Nichols Team: Agent Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Geoff Nichols Sprint: Agent Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Eric Sorenson created an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Issue Type: Task Assignee: Unassigned Created: 2017/05/09 11:02 PM Priority: Normal Reporter: Eric Sorenson One of the main stumbling blocks to FIPS 140-2 compliance is that we bundle and link against our own openssl library in the agent, which is not FIPS certified. Modulo actually doing the certification, one simple expedient would be to remove the bundled openssl from our builds and allow the agent to fall back to the system openssl. This will probably break things. This ticket is to track a test case of doing exactly this: configure a FIPS compliant RHEL system install the puppet-agent and puppet-server remove the bundled openssl run as much of the test suite as possible and catalogue the failures create tickets for fixing those failures
