[erlang-questions] FIPS compliance

Kapil Goyal goyalk@REDACTED
Tue Mar 15 20:28:40 CET 2016


Hi Drew,

Thanks for the useful information. Looks like some customization to Erlang will be required even going forward.

Regards
Kapil

From: Drew Varner [mailto:drew.varner@REDACTED]
Sent: Tuesday, March 15, 2016 12:07 AM
To: Kapil Goyal <goyalk@REDACTED>
Cc: erlang-questions@REDACTED
Subject: Re: [erlang-questions] FIPS compliance

Kapil,

Erlang's cryptography is not FIPS 140-2-certified. There was a pull request to add FIPS compliance via OpenSSL in FIPS mode, but it stalled [1].

Calls to OpenSSL's crypto canister must go through the Envelope (EVP) API calls. The crypto library in Erlang OTP 19 will use EVP calls (exclusively, I assume) [2]. However, EVP calls alone are not enough for FIPS 140-2 support.

If the only problem is terminating incoming HTTP requests, you may be able to get away with proxying the request through a FIPS 140-2 load balancer. rabbitmq-server calls crypto for password hashing. You'd need to replace calls to crypto with calls to a FIPS provider and look for calls made outside of crypto (BIFs like md5, phash).

- Drew

[1] https://github.com/erlang/otp/pull/377<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_erlang_otp_pull_377&d=BQMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=jI39iGhJSMsophpPzgwoqWd6xw05tZ5QPHjlmT5c7Tw&m=A3ioXB7jWMcFBWCfYG6JlgY-bq-J8wL3-GcZeBMy6xI&s=UDshE1fWvEIyCECWQXEQQ4D9I86BEp3uXXtZO0olRLk&e=>
[2] http://youtu.be/YlNrWxH56_E<https://urldefense.proofpoint.com/v2/url?u=http-3A__youtu.be_YlNrWxH56-5FE&d=BQMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=jI39iGhJSMsophpPzgwoqWd6xw05tZ5QPHjlmT5c7Tw&m=A3ioXB7jWMcFBWCfYG6JlgY-bq-J8wL3-GcZeBMy6xI&s=8vlVcGj4U4NPwZdXE2dczewn9fKfYOOyNp-_2wZwHPc&e=>

On Mar 14, 2016, at 10:19 PM, Kapil Goyal <goyalk@REDACTED<mailto:goyalk@REDACTED>> wrote:
Hi All,

We use RabbitMQ and are working on running it in FIPS compliance. According to a post on RMQ forum (https://groups.google.com/forum/#!topic/rabbitmq-users/wUzUjgDQ9M8<https://urldefense.proofpoint.com/v2/url?u=https-3A__groups.google.com_forum_-23-21topic_rabbitmq-2Dusers_wUzUjgDQ9M8&d=BQMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=jI39iGhJSMsophpPzgwoqWd6xw05tZ5QPHjlmT5c7Tw&m=A3ioXB7jWMcFBWCfYG6JlgY-bq-J8wL3-GcZeBMy6xI&s=y3XOD8WySxDblF5AtKc3JyZzcrjLHnH6C42i7ESxzpo&e=>), Erlang is not FIPS compliance. Is this correct? If so, are there plans to be compliant in near future?

Thanks
Kapil
_______________________________________________
erlang-questions mailing list
erlang-questions@REDACTED<mailto:erlang-questions@REDACTED>
http://erlang.org/mailman/listinfo/erlang-questions<https://urldefense.proofpoint.com/v2/url?u=http-3A__erlang.org_mailman_listinfo_erlang-2Dquestions&d=BQMFaQ&c=Sqcl0Ez6M0X8aeM67LKIiDJAXVeAw-YihVMNtXt-uEs&r=jI39iGhJSMsophpPzgwoqWd6xw05tZ5QPHjlmT5c7Tw&m=A3ioXB7jWMcFBWCfYG6JlgY-bq-J8wL3-GcZeBMy6xI&s=OUBVISfCLviVJYeLbREDw0wZ4J6LwcG3ZzunnuJUNfE&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160315/2e691f79/attachment.htm>


More information about the erlang-questions mailing list