On Thu, 2 Apr 2015, [email protected] wrote:
On Wed, 1 Apr 2015 17:12:36 -0700 (PDT)
David Lang <[email protected]> wrote:
Rsyslog doesn't have a lot of options for configuring gnutls, so it's
whatever the default is for gnutls
see
http://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html
Thanks. I'm asking since I created issue #274 "FIPS mode". FIPS mode
requires that only a certified set of ciphers and algorithms are used.
GnuTLS, as well as OpenSSL and NSS are supporting this. In some cases
though, the application using those restricted libraries must also be
aware of the same restrictions. For one, OpenSSL will squarely abort if
asked to use a non-FIPS cipher while in FIPS mode. GnuTLS will not
process the request.
In turn it might mean that *if* rsyslog does not impose any ciphers and
algorithms, then there would be no need to have a FIPS-compatible
rsyslog, the restrictions being solely on the GnuTLS operating mode.
The X.509 certificates used by rsyslog are within FIPS. Are there any
other certificate type choices in rsyslog ?
Do you think that in this circumstance, having a FIPS-compatible
rsyslog would not be needed ?
let me show my ignorance of gnutls here :-)
Rsyslog doesn't impose specific ciphers on gnutls. If there is a way for gnutls
to use a system-wide config for it's defaults, or be compiled to only support
the FIPS ciphers, then rsyslog will happily use it an not care. If gnutls needs
to have rsyslog specify the FIPS ciphers, then rsyslog will need to be enhanced.
What certificates you use is only a very minor portion of FIPS certification.
I belive that full FIPS ceritification requires that you not only limit yourself
to the FIPS approved ciphers, but that you must use a binary build from a
specific FIPS approved release of the source code. This means that if you apply
security patches after the FIPS approval, the result is no longer FIPS
certified, even though it's more secure than the FIPS certified code.
I understand that OpenSSL has a separate branch that's FIPS certified, but that
only gets updated every couple of years (or something like that) because of the
cost and time needed for certification.
As a result, the only people who _actually_ run full FIPS stuff are people who
are required to do so by contract, and they charge a LOT more than normal
because of the cost of doing all the FIPS reviews.
Now, it's possible that my info is out of date. I haven't looked at FIPS in
detail for several years. The ideas behind FIPS are very good, but the practical
side falls down when you have constant software updates rather than annual
'product releases'.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
