From owner-freebsd-arch@freebsd.org Tue Apr 9 11:44:56 2019 Return-Path: Delivered-To: freebsd-arch@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF180157E510 for ; Tue, 9 Apr 2019 11:44:56 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) Received: from sonic308-56.consmr.mail.ne1.yahoo.com (sonic308-56.consmr.mail.ne1.yahoo.com [66.163.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 13A9F8A04A for ; Tue, 9 Apr 2019 11:44:54 +0000 (UTC) (envelope-from pathiaki2@yahoo.com) X-YMail-OSG: wYouOkkVM1lKYG9wjeRhDogkAlucZNYJXfQl1VOj0PfhbUmXzg0CxoamiGJ_t8n M0I6KItozgpXZRZHAYS109cTOa83s6mAyqF3lYjlyG1.eDRffvriyLebJEx4qsT3yTZZKaOaLkNR WtYZcPFqxxvufU95ncgTIEqzEOChydV.iY0TUe4gmXwKOahqaJb3XtQGYjfH1eOqPnIocZqqJwDj YTVdMhEp54WWFNhfn7MaWc7lDcXNK9HXt4UsbNHI5ETeHrCgSImLkf96sbgdj9vyS88TlE1UnL47 8rDe2pQtqht1zhXlAffGsg9S6p37j6XiV3s0MD1oN.AE4NsiTn2teQ.VY0oR1suMtFSVZrDDLZJ4 oG89L_8PwQ_riR4nAmu7XDzeAmKY0IM93DFCr7_IrJzxQNMKam_EcYF4rmsACM7dtLfm.zr5r6.s 6vl2iA.QXhXuD_kcImXpVHSFHy6FkwBVJTxYWmFmWs7pmGam8b27zm5gs35dzZh4M4LSl0ze7MQo JDWlhH_2rTOsz8HEurX.UNydtvMFLQSYb0O317lrSmMAa8Hw78V8p01GbL_HPofvx6bFyvewMCWt .QyqJDmO1SAS82l3p4AqKIcb6Rfv_lS9wNHfJf3WUZSZbLvxnN_A.g8.nsIji4DhxljtIu58ugXp cVNDPyjjxcUhURql9iiEdNtBjrVkEki7bGcNAF.zHHS3p_55VFobswygESHbWcFi.PGKTmRfbBHX ZQ.uflOl.dME8XNcuouLS6yYhMr_M4h9uZRiv7dap2kG_JvNHqxzLYX1F3p_LCpqe3HjNNTuyPrx 9EPtz2DBAy0lvr_DOSuR_GS_AP1B7rJyI.AN0GBmf6rHTVBom6qv1._TI5Im46APes7uzHiSba75 JhyP7rEPXeYist6LU3CNoAJjIF5gkK.FTtcslyQuJe_IHRmDfgznRwrr6giCd8lrbuZdPlLuBtty fNbbbi.zktGgXvvL5YF3UxJQzEqHVHxyjitDblr8WjEG9N11lQRfTunk9AtuHAq72IFVXTqSkX7m McwD5IcjUJ8ARCafNMxDp8ExrIfS4NfPZa7lMKsgP5v.5izEyKpqP2JoS1g59fRC9wD_DECW2WPX 3fSMBWO57PHwsUWkHkDywOq.z3JlJFz0- Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.ne1.yahoo.com with HTTP; Tue, 9 Apr 2019 11:44:52 +0000 Date: Tue, 9 Apr 2019 11:44:47 +0000 (UTC) From: Paul Pathiakis To: "freebsd-arch@freebsd.org" , FreeBSD Ports Message-ID: <1414670222.401877.1554810287647@mail.yahoo.com> Subject: FIPS and NIST MIME-Version: 1.0 References: <1414670222.401877.1554810287647.ref@mail.yahoo.com> X-Mailer: WebService/1.1.13212 YMailNorrin Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Firefox/60.0 X-Rspamd-Queue-Id: 13A9F8A04A X-Spamd-Bar: ++ X-Spamd-Result: default: False [2.21 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; R_DKIM_ALLOW(-0.20)[yahoo.com:s=s2048]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ptr:yahoo.com]; FREEMAIL_FROM(0.00)[yahoo.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_MEDIUM(0.64)[0.636,0]; NEURAL_SPAM_SHORT(0.99)[0.987,0]; NEURAL_SPAM_LONG(0.59)[0.593,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[yahoo.com:+]; MX_GOOD(-0.01)[cached: mta6.am0.yahoodns.net]; RCVD_IN_DNSWL_NONE(0.00)[31.187.163.66.list.dnswl.org : 127.0.5.0]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(1.00)[ip: (2.45), ipnet: 66.163.184.0/21(1.46), asn: 36646(1.17), country: US(-0.06)]; DMARC_POLICY_ALLOW(-0.50)[yahoo.com,reject]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[yahoo.com]; ASN(0.00)[asn:36646, ipnet:66.163.184.0/21, country:US]; RCVD_COUNT_TWO(0.00)[2]; DWL_DNSWL_NONE(0.00)[yahoo.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 11:44:56 -0000 Hi, I posted the following to freebsd-questions but was further directed here t= o see what can be done about this issue. Basically, it involves making sure that the SSL library in use on the OS an= d any ports built with it, uses the OpenSSL fips-compliant module.=C2=A0 Th= e module is a 'blessed' certification module of OpenSSL that has had the MD= 5 and (???) less secure cryptographic algorithms removed.=C2=A0 It goes thr= ough US/Canadian government certification process and ends up being 'blesse= d'.=C2=A0 Without this certification, FreeBSD and all of its derivatives wi= ll be shut out of govt and govt contractor companies. A LOT of information can be found out about this online especially at http:= //www.nist.gov. There are standards of both physical hardware security and operating system= security using the OpenSSL-FIPS-2.0=C2=A0 (soon to be 3.0 this year). On the physical side it must support the use of SEDs (self encrypting drive= s I guess one of the initial undertakings would be to port the openssl FIPS m= odule.=C2=A0=20 https://www.openssl.org/docs/fips.html Another undertaking would be to allow a switch when building things that re= ly on SSL encryption in their configuration to choose 'OpenSSL FIPS'. Now, the sad part.=C2=A0 FIPS and NIST fly in the face of OSS philosophy an= d nimble movement.=C2=A0 A FIPS certified module cannot be used if a bug is= found in it.=C2=A0 It's IMMEDIATELY blacklisted.=C2=A0 All things built wi= th it are no longer valid.=C2=A0 You can't patch it, you can't outright fix= it, etc.=C2=A0 It then requires the new library to go through certificatio= n.=C2=A0 This leads to chicken-egg.... you can't really expect to put every= thing on hold while a new module goes through the certification process whi= ch can take upwards of 18 mos.=C2=A0 So, people either don't report it or w= ait until the new version is out to report it.=C2=A0 (Hey, it's the gov't r= ight?) However, you can't be used by the gov't unless certified.=C2=A0 All the big= players, CISCO, IBM, DELL/EMC, VMware and RedHat (and CentOS) are all FIPS= -compliant. So, can this happen?=C2=A0 (If it doesn't, all machines that are FreeBSD or= variants in use in the gov't and in govt contractor companies, will be rem= oved in an ever shrinking timeframe.) Paul P.