[Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0
Rob Crittenden
rcritten at redhat.com
Tue Mar 14 19:42:27 UTC 2017
Standa Laznicka wrote:
> On 03/14/2017 04:21 PM, Rob Crittenden wrote:
>> Standa Laznicka wrote:
>>> On 03/14/2017 03:14 PM, Martin Basti wrote:
>>>> On 14.03.2017 14:56, Luc de Louw wrote:
>>>>> My 3 cents...
>>>>>
>>>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>>>
>>>>> -> Does is work in Fedora? Should be worth mention it so people are
>>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Luc
>>>> We cannot guarantee that FIPS mode will work with fedora, any package
>>>> update may break it.
>>> Fedora itself is not capable of running in FIPS mode so there's no point
>>> adding it there.
>> I can't believe this is correct. Did you try it and it failed? Did you
>> file bugs?
> Yes, yes and no. Please see the header at this page:
> https://fedoraproject.org/wiki/FedoraCryptoConsolidation
Um, ok? What do shared certs and centralized crypto policies have to do
with FIPS not working in Fedora?
> We tried to set up Fedora for FIPS in RHEV but the machine would not
> even start.
Fedora 25 works for me in libvirt.
crypto.fips_enabled is 1.
It is enforcing it too, md5sum fails because FIPS is enabled.
So if it isn't working for you then bugs are required.
rob
>>
>> The dracut-fips and dracut-fips-aesni packages are both available.
>>
>> # cat /etc/redhat-release
>> Fedora release 25 (Twenty Five)
>> # sysctl crypto.fips_enabled
>> crypto.fips_enabled = 0
>>
>> So the basic stuff is there and the kernel knows what FIPS is.
>>
>> Any NSS-based application can enable FIPS-mode independently of the
>> kernel via modutil or application-specific settings (e.g. NSSFIPS in
>> mod_nss).
>>
>> rob
>
>
More information about the Freeipa-devel
mailing list