[openstack-dev] [Openstack-operators] FIPS Compliance

Joshua Cornutt jcornutt at gmail.com
Tue Nov 6 17:19:38 UTC 2018


Doug,

I have such a list put together (my various installation documents for
getting these clouds working in FIPS mode) but it's hardly ready for
public consumption. I planned on releasing each bit as a code change
and/or bug ticket and letting the community consume it as it figures
some of these things out.

I agree that some changes may break backwards compatibility (such as
Glance's image checksumming), but one approach I think could ease the
transition would be the approach I took for SSH key pair
fingerprinting (also MD5-based, as is Glance image checksums) found
here - https://review.openstack.org/#/c/615460/ . This allows
administrators to choose, hopefully at deployment time, the hashing
algorithm with the default of being the existing MD5 algorithm.

Another approach would be to make the projects "FIPS aware" where we
choose the hashing algorithm based on the system's FIPS-enforcing
state. An example of doing so is what I'm proposing for Django
(another FIPS-related patch that was needed for OSP 13) -
https://github.com/django/django/pull/10605



More information about the OpenStack-dev mailing list