Phillip Moore
2017-09-20 19:15:17 UTC
Hi,
Is anyone running ATS in a FIPS* (Federal Information Processing Standard)
compliant setup?
I was looking into this and ATS has some code that seems to allow it to
call the fips enable function from openssl but it doesn't work quite right
it seems.
I've patched ATS to force FIPS mode on but ATS fails to start due to MD5
hash functions no longer being available, and ATS seems to heavily use MD5
internally.
As a crazy idea just to see what would happen I basically did s/md5/sha256
in the code base and was able to make ATS compile and run but it never
logged the 'fips enabled' bits, but it didn't complain about MD5 either.
I'm wondering if there was some initial effort for FIPS support that was
abandoned, and what I see in the code now is that remnants.
Thanks for any comments,
Phillip Moore
* https://www.openssl.org/docs/fipsnotes.html
Is anyone running ATS in a FIPS* (Federal Information Processing Standard)
compliant setup?
I was looking into this and ATS has some code that seems to allow it to
call the fips enable function from openssl but it doesn't work quite right
it seems.
I've patched ATS to force FIPS mode on but ATS fails to start due to MD5
hash functions no longer being available, and ATS seems to heavily use MD5
internally.
As a crazy idea just to see what would happen I basically did s/md5/sha256
in the code base and was able to make ATS compile and run but it never
logged the 'fips enabled' bits, but it didn't complain about MD5 either.
I'm wondering if there was some initial effort for FIPS support that was
abandoned, and what I see in the code now is that remnants.
Thanks for any comments,
Phillip Moore
* https://www.openssl.org/docs/fipsnotes.html