> I'd imagine a global security configuration option in
> bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
> work. If that's too late in the initialization process, then a system
> property to allow overriding which BC provider to use may be more
> appropriate.
You are right!
> I think it'll require a bit more patching than just that. What about
> all the plugins and Jenkins core code that requests non-FIPS
> algorithms? For example, MD5 is still used for some non-security
> features, and I wouldn't expect that to be available in a
> FIPS-compliant JCE provider.
As I
I'd imagine a global security configuration option in
bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
work. If that's too late in the initialization process, then a system
property to allow overriding which BC provider to use may be more
appropriate.
I also have a concern
I've done several PR in Jenkins Core and Remoting:
https://github.com/jenkinsci/jenkins/pull/5266
https://github.com/jenkinsci/remoting/pull/435
Also, I've added change to kubernetes-client used in several plugins:
https://github.com/fabric8io/kubernetes-client/pull/2788
At least the following
I think it'll require a bit more patching than just that. What about
all the plugins and Jenkins core code that requests non-FIPS
algorithms? For example, MD5 is still used for some non-security
features, and I wouldn't expect that to be available in a
FIPS-compliant JCE provider.
On the other
Hi all,
I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
BouncyCastle Security provider used in Jenkins has FIPS version.
https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf