Thank you Quanah,
As i mentioned, we are using OpenLDAP 2.4.48 version from https://www.openldap.org/ which internally uses OpenSSL I would like to know, is this version of OpenLDAP with OpennSSL does FIPS compliant.?
Regards, Vijay Kumar
On Mon, Jun 15, 2020 at 10:22 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, June 15, 2020 5:03 PM +0530 Vijay Kumar pasumarthivijaykumar@gmail.com wrote:
Hi Team,
We are using the version 2.4.48 OpenLDAP, we would like to know which versions of OpenLDAP which used OpenSSL are compliant towards FIPS 140.2 standards.?
Hello,
Do *NOT* post to multiple lists.
The FIPS question is not really an OpenLDAP question at all. Either the build of OpenLDAP you are using is linked to a FIPS version of OpenSSL or it isn't. You'd need to find out from whomever provided your OpenLDAP build (and that's assuming it's linked to OpenSSL) if that OpenSSL build is FIPS enabled.
Reards, Quaanh
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Vijay,
Did you build the OpenLDAP binary from source or are you using a binary distribution from somewhere? Like Quanah already stated, you need to determine if the version of OpenSSL you linked against is FIPS compliant. The FIPS designation has nothing to do with OpenLDAP per se.
e.g. on my CentOS distro I can type
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
And it lets me know that OpenSSL is FIPS compliment. Then if I build OpenLDAP using the openssl libraries provided with my distro then I’m assuming it would then inherit some of this FIP-ness.
Sincerely, Scott
On Jun 15, 2020, at 9:45 PM, Vijay Kumar pasumarthivijaykumar@gmail.com wrote:
Thank you Quanah,
As i mentioned, we are using OpenLDAP 2.4.48 version from https://www.openldap.org/ https://www.openldap.org/ which internally uses OpenSSL I would like to know, is this version of OpenLDAP with OpennSSL does FIPS compliant.?
Regards, Vijay Kumar
On Mon, Jun 15, 2020 at 10:22 PM Quanah Gibson-Mount <quanah@symas.com mailto:quanah@symas.com> wrote:
--On Monday, June 15, 2020 5:03 PM +0530 Vijay Kumar <pasumarthivijaykumar@gmail.com mailto:pasumarthivijaykumar@gmail.com> wrote:
Hi Team,
We are using the version 2.4.48 OpenLDAP, we would like to know which versions of OpenLDAP which used OpenSSL are compliant towards FIPS 140.2 standards.?
Hello,
Do *NOT* post to multiple lists.
The FIPS question is not really an OpenLDAP question at all. Either the build of OpenLDAP you are using is linked to a FIPS version of OpenSSL or it isn't. You'd need to find out from whomever provided your OpenLDAP build (and that's assuming it's linked to OpenSSL) if that OpenSSL build is FIPS enabled.
Reards, Quaanh
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com http://www.symas.com/>
-- Thanks & Regards,
Vijay Kumar +91-94944 44009
On Mon, 15 Jun 2020, Scott Classen wrote:
Did you build the OpenLDAP binary from source or are you using a binary distribution from somewhere? Like Quanah already stated, you need to determine if the version of OpenSSL you linked against is FIPS compliant. The FIPS designation has nothing to do with OpenLDAP per se.
e.g. on my CentOS distro I can type
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
And it lets me know that OpenSSL is FIPS compliment. Then if I build OpenLDAP using the openssl libraries provided with my distro then I’m assuming it would then inherit some of this FIP-ness.
Simply _using_ that library is not nearly enough to pass any sort of compliance check. Here's a session using a similar library (CentOS 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant cipher suite:
$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet ^C $
First, you have to actually tell the library to go into FIPS mode. The CLI 'openssl' tool will do that when the OPENSSL_FIPS environment variable is set and I seem to recall that the system openssl libs on RedHat systems (don't remember if it carried over to CentOS) would do so if a kernel parameter was set, but in general applications using libssl and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode themselves. Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your system libcrypto has something external to force FIPS mode *and your're using it*, OpenLDAP will _not_ be using the library in FIPS mode.
Furthermore, is that build of openssl still covered by a valid FIPS certificate? "It's a build of sources for which some build has had a FIPS certificate issued" is cute verbiage and there are many people that only care about that: verbiage so they can check a unclearly specified box on their documents. Not a bad option if that's all your customers expect and all you sell/promise, given that FIPS mode is not strictly beneficial with the difficulty it creates for fixing bugs in crypto implementations, including--historically--in openssl's code base.
While some customers will find that sufficient to check a box on their documents, it ain't going to make real FIPS compliance people (U.S. government agencies) blink before ignoring it. If you're going to have a compliance audit from such a group, with scheduled followups and 30/60/90 day remediation requirements, then no, stock openldap on stock centos, for example, will not get you there.
Philip Guenther
Thanks for this clear insight!
-----Original Message----- To: Scott Classen Cc: Vijay Kumar; openldap-technical@openldap.org Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance on FIPS 140.2
On Mon, 15 Jun 2020, Scott Classen wrote:
Did you build the OpenLDAP binary from source or are you using a binary distribution from somewhere? Like Quanah already stated, you need to determine if the version of OpenSSL you linked against is FIPS
compliant. The FIPS designation has nothing to do with OpenLDAP per
se.
e.g. on my CentOS distro I can type
# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
And it lets me know that OpenSSL is FIPS compliment. Then if I build OpenLDAP using the openssl libraries provided with my distro then I’m
assuming it would then inherit some of this FIP-ness.
Simply _using_ that library is not nearly enough to pass any sort of compliance check. Here's a session using a similar library (CentOS 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant cipher suite:
$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet ^C $
First, you have to actually tell the library to go into FIPS mode. The CLI 'openssl' tool will do that when the OPENSSL_FIPS environment variable is set and I seem to recall that the system openssl libs on RedHat systems (don't remember if it carried over to CentOS) would do so if a kernel parameter was set, but in general applications using libssl and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode themselves. Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your system libcrypto has something external to force FIPS mode *and your're using it*, OpenLDAP will _not_ be using the library in FIPS mode.
Furthermore, is that build of openssl still covered by a valid FIPS certificate? "It's a build of sources for which some build has had a FIPS certificate issued" is cute verbiage and there are many people that only care about that: verbiage so they can check a unclearly specified box on their documents. Not a bad option if that's all your customers expect and all you sell/promise, given that FIPS mode is not strictly beneficial with the difficulty it creates for fixing bugs in crypto implementations, including--historically--in openssl's code base.
While some customers will find that sufficient to check a box on their documents, it ain't going to make real FIPS compliance people (U.S. government agencies) blink before ignoring it. If you're going to have a compliance audit from such a group, with scheduled followups and 30/60/90 day remediation requirements, then no, stock openldap on stock centos, for example, will not get you there.
Philip Guenther
On 6/16/20 8:00 AM, Philip Guenther wrote:
Simply _using_ that library is not nearly enough to pass any sort of compliance check.
Philip, you're absolutely right.
Everybody seriously interested in that should dig in the mailing list archive of the openss-users list and OpenSSL blog for postings about FIPS compliance.
Be prepared for tons of unrealistic requirements. Steve Marquess' e-mails about FIPS sent to openssl-users usually begin with:
"As always, if you don't care about FIPS 140 then count yourself lucky and move on."
Ciao, Michael.
openldap-technical@openldap.org
-
Marc Roos -
Michael Ströder -
Philip Guenther -
Scott Classen -
Vijay Kumar