Thanks for this clear insight!
-----Original Message----- To: Scott Classen Cc: Vijay Kumar; openldap-technical@openldap.org Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance on FIPS 140.2
On Mon, 15 Jun 2020, Scott Classen wrote:
Did you build the OpenLDAP binary from source or are you using a binary distribution from somewhere? Like Quanah already stated, you need to determine if the version of OpenSSL you linked against is FIPS
compliant. The FIPS designation has nothing to do with OpenLDAP per
se.
e.g. on my CentOS distro I can type
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
And it lets me know that OpenSSL is FIPS compliment. Then if I build OpenLDAP using the openssl libraries provided with my distro then I’m
assuming it would then inherit some of this FIP-ness.
Simply _using_ that library is not nearly enough to pass any sort of compliance check. Here's a session using a similar library (CentOS 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant cipher suite:
$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet ^C $
First, you have to actually tell the library to go into FIPS mode. The CLI 'openssl' tool will do that when the OPENSSL_FIPS environment variable is set and I seem to recall that the system openssl libs on RedHat systems (don't remember if it carried over to CentOS) would do so if a kernel parameter was set, but in general applications using libssl and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode themselves. Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your system libcrypto has something external to force FIPS mode *and your're using it*, OpenLDAP will _not_ be using the library in FIPS mode.
Furthermore, is that build of openssl still covered by a valid FIPS certificate? "It's a build of sources for which some build has had a FIPS certificate issued" is cute verbiage and there are many people that only care about that: verbiage so they can check a unclearly specified box on their documents. Not a bad option if that's all your customers expect and all you sell/promise, given that FIPS mode is not strictly beneficial with the difficulty it creates for fixing bugs in crypto implementations, including--historically--in openssl's code base.
While some customers will find that sufficient to check a box on their documents, it ain't going to make real FIPS compliance people (U.S. government agencies) blink before ignoring it. If you're going to have a compliance audit from such a group, with scheduled followups and 30/60/90 day remediation requirements, then no, stock openldap on stock centos, for example, will not get you there.
Philip Guenther