Jennings, Jared L CTR USAF AFMC 46 SK/CCI
2011-Jun-28 18:24 UTC
[Puppet Users] FIPS 140-2 compliance
I''ve just posted a feature request <http://projects.puppetlabs.com/issues/8120> relating to FIPS 140-2 compliance. I''m pointing to it here on the mailing list because I listed there five places where Puppet (nay, Ruby!) crashed while I was testing a deployment using FIPS mode on all hosts. It crashed because it tried to use MD5, and OpenSSL in FIPS mode doesn''t let you do that. When I replaced these five usages of Digest::MD5 with Digest::SHA256, things ran well, but it''s merely a stopgap. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Jun 28, 2011 at 11:24, Jennings, Jared L CTR USAF AFMC 46 SK/CCI <jared.jennings.ctr@eglin.af.mil> wrote:> I''ve just posted a feature request > <http://projects.puppetlabs.com/issues/8120> relating to FIPS 140-2 > compliance. I''m pointing to it here on the mailing list because I listed > there five places where Puppet (nay, Ruby!) crashed while I was testing > a deployment using FIPS mode on all hosts. It crashed because it tried > to use MD5, and OpenSSL in FIPS mode doesn''t let you do that. When I > replaced these five usages of Digest::MD5 with Digest::SHA256, things > ran well, but it''s merely a stopgap.Hey, thanks for filing away that request. We had previous folks asking for similar things, but no one indicated that FIPS compliant OpenSSL would absolutely refuse to work with MD5, full stop. Am I right in imagining, given your title, that FIPS mode is an absolute requirement for y''all to use Puppet on your systems? Regards, Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <daniel@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jennings, Jared L CTR USAF AFMC 46 SK/CCI
2011-Jun-30 17:08 UTC
RE: [Puppet Users] FIPS 140-2 compliance
Pittman:> Hey, thanks for filing away that request. We had previous folks > asking for similar things, but no one indicated that FIPS compliant > OpenSSL would absolutely refuse to work with MD5, full stop. > Am I right in imagining, given your title, that FIPS mode is an > absolute requirement for y''all to use Puppet on your systems?I believe I understand your question when I say: yes, we have to use FIPS mode on our systems; if Puppet does not work under FIPS mode, we can''t use Puppet. At my site, right now, it works ok, because I have locally-made RPM packages of Puppet and Ruby with the rough patches that I''ve indicated in the issue reports I''ve filed. For J. Random Federalgovernment Admin, it probably needs to work more smoothly. (What were her parents thinking, giving her two middle names...) Further reading: <http://iase.disa.mil/stigs/os/unix/unix.html> <http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf> (look for DCAS-1 and DCCS-2) <http://www.niap-ccevs.org/faqs/nstissp-11/> Federal Information Security Management Act (FISMA) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jun 30, 2011 at 10:08, Jennings, Jared L CTR USAF AFMC 46 SK/CCI <jared.jennings.ctr@eglin.af.mil> wrote:> Pittman: >> Hey, thanks for filing away that request. We had previous folks >> asking for similar things, but no one indicated that FIPS compliant >> OpenSSL would absolutely refuse to work with MD5, full stop. >> Am I right in imagining, given your title, that FIPS mode is an >> absolute requirement for y''all to use Puppet on your systems? > > I believe I understand your question when I say: yes, we have to use FIPS mode on our systems; if Puppet does not work under FIPS mode, we can''t use Puppet.Maybe I could have asked more clearly. I wanted to make sure I had supporting data when it came to convincing my boss that we should be putting engineering time into fixing this now, because it matters for a lot more than just theoretical technical reasons. ;) Thank you so much for sending those references. They make it much easier to make my case. Daniel -- ⎋ Puppet Labs Developer – http://puppetlabs.com ✉ Daniel Pittman <daniel@puppetlabs.com> ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.