Fix for FIPS startup #366
Fix for FIPS startup #366
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/182557199 The labels on this github issue will be updated when the story is started. |
|
here I cannot judge if this is a regression for others / older installations @torsten-sap @friegger we need someone with BOSH expierence to verify that this change does not break existing landscapes |
| @@ -123,7 +123,7 @@ function process_certs { | |||
| function insert_ssl_cert { | |||
| log "Installing Server SSL certificate" | |||
|
|
|||
| openssl pkcs12 -export -name uaa_ssl_cert \ | |||
| openssl pkcs12 -export -certpbe PBE-SHA1-3DES -name uaa_ssl_cert \ | |||
There was a problem hiding this comment.
Can we expose this through a bosh property, instead of hard coding this change?
There was a problem hiding this comment.
ok so I agree, please use a parameter
There was a problem hiding this comment.
you could also check (cat /proc/sys/crypto/fips_enabled) if FIPS is enabled and only add that parameter in the FIPS case.
There was a problem hiding this comment.
#407 is an alternative using the fix I suggested here.
|
SHA1 and 3DES raises hackles here. Aren't there other ciphers/hashes that aren't so tied to the 20th century? SHA1 was deprecated nearly a decade ago. |
The algorithm is used for p12 creation, but the password is passed 3 lines later, so this parameter is not needed to increase or change security level, but simply on a FIPS compliant image the openssl version requires such a parameter. We convert key files into p12 to pass the key material to tomcat configuration. |
Addresses #358