On Thu, 2 Apr 2015 14:06:01 -0700 (PDT) David Lang <[email protected]> wrote:
> Rsyslog doesn't impose specific ciphers on gnutls. If there is a way > for gnutls to use a system-wide config for it's defaults, or be > compiled to only support the FIPS ciphers, then rsyslog will happily > use it an not care. If gnutls needs to have rsyslog specify the FIPS > ciphers, then rsyslog will need to be enhanced. What certificates you > use is only a very minor portion of FIPS certification. So it looks that after all, issue # 274 has no ground. Eg. rsyslog can operate as is in a FIPS system without any modifications. > I belive that full FIPS ceritification requires that you not only > limit yourself to the FIPS approved ciphers, but that you must use a > binary build from a specific FIPS approved release of the source > code. Yes. The validation comes from the certifying lab. In the case of GnuTLS, GnuTLS makes its part by applying the restrictions, as well as the pair-wise and DRBG tests, and the start-up POST tests. But that does not mean it is certified. Same with NSS, I think. Linux kernel has a fips=1 option, but it does not much. > This means that if you apply security patches after the FIPS > approval, the result is no longer FIPS certified, even though it's > more secure than the FIPS certified code. Indeed. And it has to go through another certification, although a lesser one. This slows down the delivery of any security-critical patches to customers, making the systems actually less secure. > I understand that OpenSSL has a separate branch that's FIPS > certified, but that only gets updated every couple of years (or > something like that) because of the cost and time needed for > certification. It used to be certified, and then there were modifications. They will go through another cycle of certification, eventually. One part of this is gathering money (sponsors) to do so. > As a result, the only people who _actually_ run full FIPS stuff are > people who are required to do so by contract, and they charge a LOT > more than normal because of the cost of doing all the FIPS reviews. Those are the customers. And yes, it is expensive to get the FIPS certification. > Now, it's possible that my info is out of date. I haven't looked at > FIPS in detail for several years. The ideas behind FIPS are very > good, but the practical side falls down when you have constant > software updates rather than annual 'product releases'. The only advantage is in being able to address a specific range of customers. 24/7 security does not necessarily go the FIPS road. It is paperwork security :) Regards. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
