[Openstack-operators] FIPS Compliance

Doug Hellmann doug at doughellmann.com
Tue Nov 6 13:06:58 UTC 2018


Sean McGinnis <sean.mcginnis at gmx.com> writes:

> I'm interested in some feedback from the community, particularly those running
> OpenStack deployments, as to whether FIPS compliance [0][1] is something folks
> are looking for.
>
> I've been seeing small changes starting to be proposed here and there for
> things like MD5 usage related to its incompatibility to FIPS mode. But looking
> across a wider stripe of our repos, it appears like it would be a wider effort
> to be able to get all OpenStack services compatible with FIPS mode.
>
> This should be a fairly easy thing to test, but before we put in much effort
> into updating code and figuring out testing, I'd like to see some input on
> whether something like this is needed.
>
> Thanks for any input on this.
>
> Sean
>
> [0] https://en.wikipedia.org/wiki/FIPS_140-2
> [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

I know we've had some interest in it at different times. I think some of
the changes will end up being backwards-incompatible, so we may need a
"FIPS-mode" configuration flag for those, but in other places we could
just switch hashing algorithms and be fine.

I'm not sure if anyone has put together the details of what would be
needed to update each project, but this feels like it could be a
candidate for a goal for a future cycle once we have that information
and can assess the level of effort.

Doug



More information about the OpenStack-operators mailing list