Apparently Paul's email didn't make it through, so I'm forwarding it to y'all since it pertinent information.
-----Original Message----- From: Paul Kehrer <paul.keh...@rackspace.com> Reply: Paul Kehrer <paul.keh...@rackspace.com> Date: November 8, 2016 at 23:39:32 To: Ian Cordasco <sigmaviru...@gmail.com>, OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography > Cryptography will build just fine against a FIPS OpenSSL (1.0.0 or newer, > although we’re > in the process of dropping < 1.0.1 support in the next several months). It is > a supported > configuration, but enabling FIPS mode (if it’s not on by default) is not > something cryptography > currently exposes (FIPS_mode_set). Rob and Ian’s points about the value of > FIPS are > generally in line with my own opinions. In the absence of an audit > requirement I’d recommend > looking for well-vetted and widely used libraries above trying to meet a > specific compliance > regime. > > -Paul > > On 11/9/16, 5:11 AM, "Ian Cordasco" wrote: > > -----Original Message----- > From: Rob C > Reply: OpenStack Development Mailing List (not for usage questions) > > Date: November 7, 2016 at 07:39:57 > To: OpenStack Development Mailing List (not for usage questions) > > Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto > vs cryptography > > > Good question, I know issues around this have arisen before. > > > > I think the main points have been covered well already, for my part I will > > always lean toward the better supported or actively developed project. > > At this point PyCrypto actively tells users that it's not supported or > developed. They've been pushing people towards Cryptogrpahy. > > > I understand the desire to look for FIPS 140-2 compliance, however I'd > > caution about this being the only deciding factor, it makes software > > development messy as only specific implementations can be validated. If you > > want to update code to make improvements etc you can need a whole > > re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know > > of software projects that have used known-bad implementations that had > > certification rather use an updated version with no issues - (like I said, > > it gets messy). > > > > The OpenSSL guys wrote a good article on FIPS validation, how they tackled > > it and some of the impact etc [1] > > > > -Rob > > > > [1] https://www.openssl.org/docs/fipsnotes.html > > I would strongly suggest you read Rob's link. It's very enlightening > to know why, while FIPS may be a requirement, it's not necessarily > beneficial from a security standpoint. It's also ridiculously > expensive and restrictive. > > I've CC'd one of the lead developers from the Cryptography project to > comment on this. I would hazard a guess that one could compile > Cryptography against a version of OpenSSL that is FIPS compliant, but > I doubt it'll be considered supported. I know Cryptography recently > dropped support for a few older versions of OpenSSL, and to work with > that you'd have to stick to an older version of Cryptography. > > Can I ask why FIPS compliance is a requirement for Kolla? This seems > like an odd request for a deployment project. > > > On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley wrote: > > > > > On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote: > > > > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote: > > > [...] > > > > > An orthogonal question I have received from one of our community > > > > > members (Pavo on irc) is whether pycrypto (or if we move to > > > > > cryptography) provide FIPS-140-2 compliance. > > > > > > > > My understanding is that if you need, for example, a FIPS-compliant > > > > AES implementation under the hood, then this is dependent more on > > > > what backend libraries you're using... e.g., > > > > https://www.openssl.org/docs/fips.html > > > > https://www.openssl.org/docs/fipsvalidation.html > > -- > Ian Cordasco > > > -- Ian Cordasco __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev