devzero2000 wrote:
On Fri, Oct 25, 2013 at 7:59 PM, Michael Ströder michael@stroeder.com wrote:
Steve Eckmann wrote:
We are using {SSHA} (SHA-1) in OpenLDAP now. The customer wants SHA-512. And they require a FIPS-validated implementation, which I think narrows our options to using either OpenSSL or NSS in FIPS mode. I cannot see a better way to meet the customer's two requirements than gutting pw-sha2 and using that as a thin wrapper for the raw crypto functions in either openssl or nss.
You probably should first ask on the openssl-users mailing list under which conditions you get some "FIPS-validated" code regarding the whole OpenLDAP "application". Likely it's not feasible.
I'm pretty sure that your customer FIPS requirement is plain nonsense and you might work around this by some other strange policy text. ;-}
I am not sure "nonsense" if some distro are doing something in this area. Right or, perhaps, sometime wrong (o perhaps sometime break). http://fedoraproject.org/wiki/FedoraCryptoConsolidation
FIPS spec is clearly nonsense, from a technical perspective. E.g. it required support of Dual_EC_DRBG random number generator which was proven to be inferior and almost certainly has an NSA backdoor.
The Fedora crypto consolidation rationale is completely bogus; in unifying the crypto database across the entire machine it fails to recognize that different services (and different clients) will have completely different security policies and requirements. Of course this is common knowledge for actual security practitioners - servers generally should only recognize and trust client certificates issued by a single CA, while clients generally need to be able to trust many different CAs for a wide range of services. HTTP servers have much different certificate requirements from LDAP/FTP/SMTP servers; almost nobody uses client certificates with HTTP but they are commonplace for many other authenticated services.
Of course, the Fedora crypto scene is dictated more by political concerns than technical. https://bugzilla.redhat.com/show_bug.cgi?id=319901