Thanks a lot Philip Guenther
Absolute needful Info to all.
On Tue, Jun 16, 2020 at 1:43 PM Marc Roos <M.Roos(a)f1-outsourcing.eu> wrote:
Thanks for this clear insight!
To: Scott Classen
Cc: Vijay Kumar; openldap-technical(a)openldap.org
Subject: *****SPAM***** Re: Info needed on OpenLDAP support / compliance
on FIPS 140.2
On Mon, 15 Jun 2020, Scott Classen wrote:
> Did you build the OpenLDAP binary from source or are you using a
> binary distribution from somewhere? Like Quanah already stated, you
> need to determine if the version of OpenSSL you linked against is FIPS
> compliant. The FIPS designation has nothing to do with OpenLDAP per
> e.g. on my CentOS distro I can type
> # openssl version
> OpenSSL 1.0.2k-fips 26 Jan 2017
> And it lets me know that OpenSSL is FIPS compliment. Then if I build
> OpenLDAP using the openssl libraries provided with my distro then I’m
> assuming it would then inherit some of this FIP-ness.
Simply _using_ that library is not nearly enough to pass any sort of
compliance check. Here's a session using a similar library (CentOS
7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant
$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
$ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & 
31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet
foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5
-nocert -quiet ^C $
First, you have to actually tell the library to go into FIPS mode. The
CLI 'openssl' tool will do that when the OPENSSL_FIPS environment
variable is set and I seem to recall that the system openssl libs on
RedHat systems (don't remember if it carried over to CentOS) would do so
if a kernel parameter was set, but in general applications using libssl
and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode
Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your
system libcrypto has something external to force FIPS mode *and your're
using it*, OpenLDAP will _not_ be using the library in FIPS mode.
Furthermore, is that build of openssl still covered by a valid FIPS
certificate? "It's a build of sources for which some build has had a
FIPS certificate issued" is cute verbiage and there are many people that
only care about that: verbiage so they can check a unclearly specified
box on their documents. Not a bad option if that's all your customers
expect and all you sell/promise, given that FIPS mode is not strictly
beneficial with the difficulty it creates for fixing bugs in crypto
implementations, including--historically--in openssl's code base.
While some customers will find that sufficient to check a box on their
documents, it ain't going to make real FIPS compliance people (U.S.
government agencies) blink before ignoring it. If you're going to have
a compliance audit from such a group, with scheduled followups and
30/60/90 day remediation requirements, then no, stock openldap on stock
centos, for example, will not get you there.
Thanks & Regards,