[openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Ian Cordasco sigmavirus24 at gmail.com
Tue Nov 8 21:11:26 UTC 2016

-----Original Message-----
From: Rob C <hyakuhei at gmail.com>
Reply: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Date: November 7, 2016 at 07:39:57
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [requirements][kolla][security] pycrypto
vs cryptography

> Good question, I know issues around this have arisen before.
> I think the main points have been covered well already, for my part I will
> always lean toward the better supported or actively developed project.

At this point PyCrypto actively tells users that it's not supported or
developed. They've been pushing people towards Cryptogrpahy.

> I understand the desire to look for FIPS 140-2 compliance, however I'd
> caution about this being the only deciding factor, it makes software
> development messy as only specific implementations can be validated. If you
> want to update code to make improvements etc you can need a whole
> re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know
> of software projects that have used known-bad implementations that had
> certification rather use an updated version with no issues - (like I said,
> it gets messy).
> The OpenSSL guys wrote a good article on FIPS validation, how they tackled
> it and some of the impact etc [1]
> -Rob
> [1] https://www.openssl.org/docs/fipsnotes.html

I would strongly suggest you read Rob's link. It's very enlightening
to know why, while FIPS may be a requirement, it's not necessarily
beneficial from a security standpoint. It's also ridiculously
expensive and restrictive.

I've CC'd one of the lead developers from the Cryptography project to
comment on this. I would hazard a guess that one could compile
Cryptography against a version of OpenSSL that is FIPS compliant, but
I doubt it'll be considered supported. I know Cryptography recently
dropped support for a few older versions of OpenSSL, and to work with
that you'd have to stick to an older version of Cryptography.

Can I ask why FIPS compliance is a requirement for Kolla? This seems
like an odd request for a deployment project.

> On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley wrote:
> > On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote:
> > > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:
> > [...]
> > > > An orthogonal question I have received from one of our community
> > > > members (Pavo on irc) is whether pycrypto (or if we move to
> > > > cryptography) provide FIPS-140-2 compliance.
> > >
> > > My understanding is that if you need, for example, a FIPS-compliant
> > > AES implementation under the hood, then this is dependent more on
> > > what backend libraries you're using... e.g.,
> > > https://www.openssl.org/docs/fips.html
> > > https://www.openssl.org/docs/fipsvalidation.html

Ian Cordasco

More information about the OpenStack-dev mailing list