Jira (PUP-8378) Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

[Jayant Sane (JIRA)]

Jayant Sane created an issue

Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Issue Type: Task Assignee: Jayant Sane Components: Platform Created: 2018/01/23 9:09 AM Fix Versions: PUP 5.4.0 Priority: Normal Reporter: Jayant Sane Puppet 5.4.0: N/A: Redhat7- FIPS mode: FIPS mode prohibits use of certain algorithms e.g. MD5 (as applicable to puppet currently) and any attempt to use them results in abrupt program termination or abort. While customers using Puppet agents on FIPS mode platforms should be aware of such limitations there might be un-intentional usages which will result in user un-friendly errors. We need to intercept any such prohibited usages at runtime and provide graceful error messages. Create a manifest with a file resource while setting its checksum attribute to md5 and attempt applying it on agent in fips mode. Expected: Provide a graceful error while disallowing the operation. Actual: Error "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode! Aborted" Add Comment

This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)

[Jayant Sane (JIRA)]

Jayant Sane commented on PUP-8378

Re: Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Submitted PR: https://github.com/puppetlabs/puppet/pull/6581

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Josh Cooper Team: Security Platform Core

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-8378

Re: Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Moving to Platform Core team for visibility

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Josh Cooper Sprint: Platform Core KANBAN

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper assigned an issue to Josh Cooper

Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Josh Cooper Assignee: Josh Cooper

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Josh Cooper Sub-team: Coremunity

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Josh Cooper Acceptance Criteria: Puppet acceptance test pass against the redhat fips image in vmpooler.

Add Comment

[Kenn Hussey (JIRA)]

Kenn Hussey commented on PUP-8378

Re: Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Josh Cooper please add release notes for this issue, if needed. Thanks!

Add Comment

This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574)

[Craig Gomes (JIRA)]

Craig Gomes assigned an issue to Kris Bosland

Puppet / PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Craig Gomes Assignee: Josh Cooper Kris Bosland

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Josh Cooper Release Notes Summary: When running on a FIPS enabled host, puppet will change the default values for digest_algorithm and supported_checksum_types to use SHA256 instead of MD5, as the latter is not FIPS compliant. Puppet will also emit errors and gracefully exit if configured to use MD5 algorithms. Release Notes: New Feature

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-8378

Re: Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Merged to master in https://github.com/puppetlabs/puppet/commit/5e35d043ae0458e38a0aa3cf749113b0b8e5433b

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney assigned an issue to Unassigned

Puppet / PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Eric Delaney Assignee: Kris Bosland

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney assigned an issue to Eric Delaney

Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: Eric Delaney Assignee: Eric Delaney

Add Comment

[Eric Delaney (JIRA)]

Eric Delaney commented on PUP-8378

Re: Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Tested on master(5.4.0) SHA=26b954ef6f9806161284bc57dcf5b71900889349 SUITE_VERSION=5.3.3.679.g26b954e

Add Comment

[John Duarte (JIRA)]

John Duarte updated an issue

Puppet / PUP-8378

Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages

Change By: John Duarte QA Risk Assessment: Needs Assessment No Action

Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)