On 8/10/14 7:24 PM, Andrew Beekhof wrote:
On 10 Aug 2014, at 7:10 pm, Oren <theore...@hotmail.com> wrote:
Hi,
Can you support pacemaker without gnutls as it is not FIPS compliant?
Its not?
This dependency may be replaced by openssl, with a configure flag to control
this.
We'll certainly consider a patch that did this.
I don't know enough about openSSL to create it though.
FYI this is nontrivial. The FIPS-certified OpenSSL is not the one
normally distributed; applications (pacemaker in this case) have to be
able to use a special, source-only OpenSSL component as-is, with not the
slightest modification to the source or its build process. Woe unto them
who need to change a single character:
"New FIPS 140-2 validations (of any type) are slow (6-12 months is
typical), expensive (US$50,000 is probably typical for an uncomplicated
validation), and unpredictable (completion dates are not only uncertain
when first beginning a validation, but remain so during the process)."
https://www.openssl.org/docs/fips/fipsnotes.html
The payoff is access to U.S. government contracts, if you're into that
sort of thing.
Ironically, the FIPS-certified OpenSSL can be considered less secure
than the uncertified version, because due to the nature of
certification, bugs and holes get patched much more slowly:
https://blog.bit9.com/2012/04/23/fips-compliance-may-actually-make-openssl-less-secure/
-- Ken Gaillot <kjgai...@gleim.com>
Gleim NOC
_______________________________________________
Pacemaker mailing list: Pacemaker@oss.clusterlabs.org
http://oss.clusterlabs.org/mailman/listinfo/pacemaker
Project Home: http://www.clusterlabs.org
Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
Bugs: http://bugs.clusterlabs.org