[Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0
Standa Laznicka
slaznick at redhat.com
Tue Mar 14 15:37:32 UTC 2017
On 03/14/2017 04:21 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> On 03/14/2017 03:14 PM, Martin Basti wrote:
>>> On 14.03.2017 14:56, Luc de Louw wrote:
>>>> My 3 cents...
>>>>
>>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>>
>>>> -> Does is work in Fedora? Should be worth mention it so people are
>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>>
>>>> Thanks,
>>>>
>>>> Luc
>>> We cannot guarantee that FIPS mode will work with fedora, any package
>>> update may break it.
>> Fedora itself is not capable of running in FIPS mode so there's no point
>> adding it there.
> I can't believe this is correct. Did you try it and it failed? Did you
> file bugs?
Yes, yes and no. Please see the header at this page:
https://fedoraproject.org/wiki/FedoraCryptoConsolidation
We tried to set up Fedora for FIPS in RHEV but the machine would not
even start.
>
> The dracut-fips and dracut-fips-aesni packages are both available.
>
> # cat /etc/redhat-release
> Fedora release 25 (Twenty Five)
> # sysctl crypto.fips_enabled
> crypto.fips_enabled = 0
>
> So the basic stuff is there and the kernel knows what FIPS is.
>
> Any NSS-based application can enable FIPS-mode independently of the
> kernel via modutil or application-specific settings (e.g. NSSFIPS in
> mod_nss).
>
> rob
More information about the Freeipa-devel
mailing list