Date: Tue, 9 Apr 2019 11:44:47 +0000 (UTC) From: Paul Pathiakis <pathiaki2@yahoo.com> To: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, FreeBSD Ports <ports@freebsd.org> Subject: FIPS and NIST Message-ID: <1414670222.401877.1554810287647@mail.yahoo.com> References: <1414670222.401877.1554810287647.ref@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I posted the following to freebsd-questions but was further directed here t= o see what can be done about this issue. Basically, it involves making sure that the SSL library in use on the OS an= d any ports built with it, uses the OpenSSL fips-compliant module.=C2=A0 Th= e module is a 'blessed' certification module of OpenSSL that has had the MD= 5 and (???) less secure cryptographic algorithms removed.=C2=A0 It goes thr= ough US/Canadian government certification process and ends up being 'blesse= d'.=C2=A0 Without this certification, FreeBSD and all of its derivatives wi= ll be shut out of govt and govt contractor companies. A LOT of information can be found out about this online especially at http:= //www.nist.gov. There are standards of both physical hardware security and operating system= security using the OpenSSL-FIPS-2.0=C2=A0 (soon to be 3.0 this year). On the physical side it must support the use of SEDs (self encrypting drive= s I guess one of the initial undertakings would be to port the openssl FIPS m= odule.=C2=A0=20 https://www.openssl.org/docs/fips.html Another undertaking would be to allow a switch when building things that re= ly on SSL encryption in their configuration to choose 'OpenSSL FIPS'. Now, the sad part.=C2=A0 FIPS and NIST fly in the face of OSS philosophy an= d nimble movement.=C2=A0 A FIPS certified module cannot be used if a bug is= found in it.=C2=A0 It's IMMEDIATELY blacklisted.=C2=A0 All things built wi= th it are no longer valid.=C2=A0 You can't patch it, you can't outright fix= it, etc.=C2=A0 It then requires the new library to go through certificatio= n.=C2=A0 This leads to chicken-egg.... you can't really expect to put every= thing on hold while a new module goes through the certification process whi= ch can take upwards of 18 mos.=C2=A0 So, people either don't report it or w= ait until the new version is out to report it.=C2=A0 (Hey, it's the gov't r= ight?) However, you can't be used by the gov't unless certified.=C2=A0 All the big= players, CISCO, IBM, DELL/EMC, VMware and RedHat (and CentOS) are all FIPS= -compliant. So, can this happen?=C2=A0 (If it doesn't, all machines that are FreeBSD or= variants in use in the gov't and in govt contractor companies, will be rem= oved in an ever shrinking timeframe.) Paul P.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1414670222.401877.1554810287647>