From dealing with the FIPS and lock issues before, the motivation was to not handle FIPS locks do to the performance impact. That might have changed with OpenSSL 1.1.0 when the locking issues were resolved.
Backing out the FIPS code in ATS should be all that you need to do and have a FIPS enabled library. We have talked about moving from md5 to sha256 before and I would be supportive of that. -Bryan > On Sep 20, 2017, at 12:15 PM, Phillip Moore <[email protected]> wrote: > > Hi, > > Is anyone running ATS in a FIPS* (Federal Information Processing Standard) > compliant setup? > > I was looking into this and ATS has some code that seems to allow it to call > the fips enable function from openssl but it doesn't work quite right it > seems. > > I've patched ATS to force FIPS mode on but ATS fails to start due to MD5 hash > functions no longer being available, and ATS seems to heavily use MD5 > internally. > > As a crazy idea just to see what would happen I basically did s/md5/sha256 in > the code base and was able to make ATS compile and run but it never logged > the 'fips enabled' bits, but it didn't complain about MD5 either. > > I'm wondering if there was some initial effort for FIPS support that was > abandoned, and what I see in the code now is that remnants. > > Thanks for any comments, > > Phillip Moore > > * https://www.openssl.org/docs/fipsnotes.html > <https://www.openssl.org/docs/fipsnotes.html>
