Thanks a lot Philip Guenther

Absolute needful Info to all.

Regards,
Vijay Kumar

On Tue, Jun 16, 2020 at 1:43 PM Marc Roos <M.Roos@f1-outsourcing.eu> wrote:
 
Thanks for this clear insight!


-----Original Message-----
To: Scott Classen
Cc: Vijay Kumar; openldap-technical@openldap.org
Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance
on FIPS 140.2

On Mon, 15 Jun 2020, Scott Classen wrote:
> Did you build the OpenLDAP binary from source or are you using a
> binary distribution from somewhere? Like Quanah already stated, you
> need to determine if the version of OpenSSL you linked against is FIPS

> compliant. The FIPS designation has nothing to do with OpenLDAP per
se.
>
> e.g. on my CentOS distro I can type
>
> # openssl version
> OpenSSL 1.0.2k-fips  26 Jan 2017
>
> And it lets me know that OpenSSL is FIPS compliment. Then if I build
> OpenLDAP using the openssl libraries provided with my distro then I’m

> assuming it would then inherit some of this FIP-ness.

Simply _using_ that library is not nearly enough to pass any sort of
compliance check.  Here's a session using a similar library (CentOS
7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant
cipher
suite:

$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
$ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1]
31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet
foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5
-nocert -quiet ^C $


First, you have to actually tell the library to go into FIPS mode.  The
CLI 'openssl' tool will do that when the OPENSSL_FIPS environment
variable is set and I seem to recall that the system openssl libs on
RedHat systems (don't remember if it carried over to CentOS) would do so
if a kernel parameter was set, but in general applications using libssl
and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode
themselves. 
Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your
system libcrypto has something external to force FIPS mode *and your're
using it*, OpenLDAP will _not_ be using the library in FIPS mode.


Furthermore, is that build of openssl still covered by a valid FIPS
certificate?  "It's a build of sources for which some build has had a
FIPS certificate issued" is cute verbiage and there are many people that
only care about that: verbiage so they can check a unclearly specified
box on their documents.  Not a bad option if that's all your customers
expect and all you sell/promise, given that FIPS mode is not strictly
beneficial with the difficulty it creates for fixing bugs in crypto
implementations, including--historically--in openssl's code base.

While some customers will find that sufficient to check a box on their
documents, it ain't going to make real FIPS compliance people (U.S.
government agencies) blink before ignoring it.  If you're going to have
a compliance audit from such a group, with scheduled followups and
30/60/90 day remediation requirements, then no, stock openldap on stock
centos, for example, will not get you there.


Philip Guenther




--
Thanks & Regards,
 
Vijay Kumar
+91-94944 44009