All:
I recently was tasked with building and implementing Ceph in an environment where FIPS cryptography is strictly enforced. As such, I ran into several issues regarding Ceph's use of low-level cryptographic functions since those are strictly forbidden when OpenSSL is in FIPS mode. The obvious solution is to migrate away from the low level crypto functions and over to OpenSSL's EVP API, which I wrongly assumed would be a huge undertaking. As it turns out, low level crypto functions are only used in a handful of places and the work to migrate away has already been completed in the following PRs:
https://github.com/ceph/ceph/pull/23260
https://github.com/ceph/ceph/pull/32675
The latter looks like will be merged in for the Pacific release, but the former appears to have been abandoned. The perception is that these pulls are only related to performance improvements, but they also solve the corner case of running Ceph in a FIPS-enforced environment. Anecdotally, I rebased the two pulls on the latest stable Octopus release, 15.2.7, and have a cluster up and running with no issues as far as I can tell in a FIPS-enforced environment.
Are there any thoughts about reopening PR#23260 and updating both PRs to notate that they also resolve FIPS compatibility issues?
Thanks,
--
Kenneth Van Alstyne
Systems Architect
M: 804.240.2327
14291 Park Meadow Drive, Chantilly, VA 20151
perspecta
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
