On Mon, 15 Jun 2020, Scott Classen wrote: > Did you build the OpenLDAP binary from source or are you using a binary > distribution from somewhere? Like Quanah already stated, you need to > determine if the version of OpenSSL you linked against is FIPS > compliant. The FIPS designation has nothing to do with OpenLDAP per se. > > e.g. on my CentOS distro I can type > > # openssl version > OpenSSL 1.0.2k-fips 26 Jan 2017 > > And it lets me know that OpenSSL is FIPS compliment. Then if I build > OpenLDAP using the openssl libraries provided with my distro then I’m > assuming it would then inherit some of this FIP-ness.
Simply _using_ that library is not nearly enough to pass any sort of compliance check. Here's a session using a similar library (CentOS 7.7.1908) with anonymous RC4-MD5, an absolutely non-FIPS-compliant cipher suite: $ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 $ echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet & [1] 31787 $ openssl s_client -connect localhost:4433 -cipher aNULL -quiet foo read:errno=0 $ fg echo foo | openssl s_server -cipher ADH-RC4-MD5 -nocert -quiet ^C $ First, you have to actually tell the library to go into FIPS mode. The CLI 'openssl' tool will do that when the OPENSSL_FIPS environment variable is set and I seem to recall that the system openssl libs on RedHat systems (don't remember if it carried over to CentOS) would do so if a kernel parameter was set, but in general applications using libssl and libcrypto have to use the FIPS_mode_set() API to turn on FIPS mode themselves. Last I checked, OpenLDAP had no calls to FIPS_mode_set(), so unless your system libcrypto has something external to force FIPS mode *and your're using it*, OpenLDAP will _not_ be using the library in FIPS mode. Furthermore, is that build of openssl still covered by a valid FIPS certificate? "It's a build of sources for which some build has had a FIPS certificate issued" is cute verbiage and there are many people that only care about that: verbiage so they can check a unclearly specified box on their documents. Not a bad option if that's all your customers expect and all you sell/promise, given that FIPS mode is not strictly beneficial with the difficulty it creates for fixing bugs in crypto implementations, including--historically--in openssl's code base. While some customers will find that sufficient to check a box on their documents, it ain't going to make real FIPS compliance people (U.S. government agencies) blink before ignoring it. If you're going to have a compliance audit from such a group, with scheduled followups and 30/60/90 day remediation requirements, then no, stock openldap on stock centos, for example, will not get you there. Philip Guenther
