[openstack-dev] [Openstack-operators] FIPS Compliance

Doug Hellmann doug at doughellmann.com
Wed Nov 7 12:30:02 UTC 2018 

Joshua Cornutt <jcornutt at gmail.com> writes:

> Doug,
>
> I have such a list put together (my various installation documents for
> getting these clouds working in FIPS mode) but it's hardly ready for
> public consumption. I planned on releasing each bit as a code change
> and/or bug ticket and letting the community consume it as it figures
> some of these things out.

It's likely that the overall migration will go better if we all have the
full context. So I hope you can find some time to publish some of the
information you've compiled to help with that.

> I agree that some changes may break backwards compatibility (such as
> Glance's image checksumming), but one approach I think could ease the
> transition would be the approach I took for SSH key pair
> fingerprinting (also MD5-based, as is Glance image checksums) found
> here - https://review.openstack.org/#/c/615460/ . This allows
> administrators to choose, hopefully at deployment time, the hashing
> algorithm with the default of being the existing MD5 algorithm.

That certainly seems like it would provide the most compatibility in the
short term.

That said, I honestly don't know the best approach for us to take. We're
going to need people who understand the issues around FIPS and the
issues around maintaining backwards-compatibility to work together to
create a recommended approach. Perhaps a few of the folks on this thread
would be interested in forming a team to work on that?

Doug

> Another approach would be to make the projects "FIPS aware" where we
> choose the hashing algorithm based on the system's FIPS-enforcing
> state. An example of doing so is what I'm proposing for Django
> (another FIPS-related patch that was needed for OSP 13) -
> https://github.com/django/django/pull/10605
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list