[Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

Standa Laznicka slaznick at redhat.com
Wed Mar 15 07:19:51 UTC 2017 

On 03/14/2017 08:42 PM, Rob Crittenden wrote:
> Standa Laznicka wrote:
>> On 03/14/2017 04:21 PM, Rob Crittenden wrote:
>>> Standa Laznicka wrote:
>>>> On 03/14/2017 03:14 PM, Martin Basti wrote:
>>>>> On 14.03.2017 14:56, Luc de Louw wrote:
>>>>>> My 3 cents...
>>>>>>
>>>>>> "Please note that FIPS 140-2 support may not work on some platforms"
>>>>>>
>>>>>> -> Does is work in Fedora? Should be worth mention it so people are
>>>>>> more encouraged to test it in Fedora before its getting to RHEL 7.4
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Luc
>>>>> We cannot guarantee that FIPS mode will work with fedora, any package
>>>>> update may break it.
>>>> Fedora itself is not capable of running in FIPS mode so there's no point
>>>> adding it there.
>>> I can't believe this is correct. Did you try it and it failed? Did you
>>> file bugs?
>> Yes, yes and no. Please see the header at this page:
>> https://fedoraproject.org/wiki/FedoraCryptoConsolidation
> Um, ok? What do shared certs and centralized crypto policies have to do
> with FIPS not working in Fedora?
It was the only document I found really mentioning FIPS by the time. 
There are no instructions how to set Fedora to FIPS mode so we used the 
RHEL guidelines and the boot failed but the instructions do not 
necessarily have to work for Fedora.
>> We tried to set up Fedora for FIPS in RHEV but the machine would not
>> even start.
> Fedora 25 works for me in libvirt.
>
> crypto.fips_enabled is 1.
>
> It is enforcing it too, md5sum fails because FIPS is enabled.
>
> So if it isn't working for you then bugs are required.
>
> rob
>
>>> The dracut-fips and dracut-fips-aesni packages are both available.
I will check dracut-fips on my earliest convenience, I did not notice it 
when we started working on FIPS for FreeIPA, thanks.
>>>
>>> # cat /etc/redhat-release
>>> Fedora release 25 (Twenty Five)
>>> # sysctl crypto.fips_enabled
>>> crypto.fips_enabled = 0
>>>
>>> So the basic stuff is there and the kernel knows what FIPS is.
>>>
>>> Any NSS-based application can enable FIPS-mode independently of the
>>> kernel via modutil or application-specific settings (e.g. NSSFIPS in
>>> mod_nss).
>>>
>>> rob
>>

More information about the Freeipa-devel mailing list