Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS 140-3 Support RHEL 9 #2850

Open
GrifKies opened this issue May 2, 2024 · 3 comments
Open

FIPS 140-3 Support RHEL 9 #2850

GrifKies opened this issue May 2, 2024 · 3 comments
Labels
enhancement

Comments

@GrifKies
Copy link

GrifKies commented May 2, 2024

Use Case

For government use, puppetserver needs to operate in fips mode for rhel 9. This would impact the customer base. Mainly, I would like to know a timeline for fips 140-3 support so I can talk to my engineers about incorporating it into our environment.

Describe Alternatives You've Considered

Turning off Fips. Main reason I think that is not a permanent workaround is most government customers want to use puppet to improve their scores, but I think would he scared off by the fips issues.
@justinstoller
Copy link
Member

justinstoller commented May 30, 2024
edited
Loading

Hello, @GrifKies we use BouncyCastle in our enterprise product (which I believe has FIPS 140-2 support for RHEL 7 & 8). We will support FIPS 140-3 shortly after BC does so. It looks like they have submitted their 2.0 FIPS jar for FIPS 140-3 certification and it is in pre-release. I'm unclear if we'll be able to take up the 2.0 jar when it released or will need to wait for the 1.x series to be certified (which their website says they are also working on).

Sorry, I can't provide better timelines than that. I expect it to be in the next year, but I don't have any inside information to BouncyCastle's timeline.

@pmcclammer
Copy link

Hello, we would like to understand the product roadmap for FIPS 140-3 support now that the certificate for BC 1.02.4 is Historical (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4616) and the BC 2.0 certificate is Active (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4743). There does not appear to be a validated BC 1.0.2.5 available on bouncycastle.org.

We need a current vendor statement for the POAM that is now required to continue using the product for government purposes. I apologize in advance if there is existing documentation on the matter. I was not able to find anything.

@pmcclammer
Copy link

As this is the public Puppet Server repository, I also posted my inquiry to the Puppet Enterprise team since the repository and issues are internally maintained. Any information is useful to us at this time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@justinstoller @pmcclammer @GrifKies