All:
I recently was tasked with building and implementing Ceph in an environment where
FIPS cryptography is strictly enforced. As such, I ran into several issues regarding
Ceph's use of low-level cryptographic functions since those are strictly forbidden
when OpenSSL is in FIPS mode. The obvious solution is to migrate away from the low level
crypto functions and over to OpenSSL's EVP API, which I wrongly assumed would be a
huge undertaking. As it turns out, low level crypto functions are only used in a handful
of places and the work to migrate away has already been completed in the following PRs:
https://github.com/ceph/ceph/pull/23260
https://github.com/ceph/ceph/pull/32675
The latter looks like will be merged in for the Pacific release, but the former appears to
have been abandoned. The perception is that these pulls are only related to performance
improvements, but they also solve the corner case of running Ceph in a FIPS-enforced
environment. Anecdotally, I rebased the two pulls on the latest stable Octopus release,
15.2.7, and have a cluster up and running with no issues as far as I can tell in a
FIPS-enforced environment.
Are there any thoughts about reopening PR#23260 and updating both PRs to notate that they
also resolve FIPS compatibility issues?
Thanks,
--
Kenneth Van Alstyne
Systems Architect
M: 804.240.2327
14291 Park Meadow Drive, Chantilly, VA 20151
perspecta