Currently, we need to use a two step install and manually modify the cipher set when installing on a machine in FIPS mode.
+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 +TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256 Turn off the rest by adding the minus signs (-). For example: -TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ ECDSA_WITH_3DES_EDE_CBC_SHA
Why not just use FIPS cipher suites by default to begin with?
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Per PKI Team Meeting of 20171130 - 10.5 - critical
Metadata Update from @mharmsen: - Issue priority set to: critical - Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mharmsen: - Issue assigned to vakwetu
Per PKI Team Meeting of 20180125: vakwetu -> jmagne
Metadata Update from @mharmsen: - Issue assigned to jmagne (was: vakwetu)
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1539125
Metadata Update from @mharmsen: - Issue assigned to mharmsen (was: jmagne)
commit 8f3700681ea2cbcc3dbe0c768dca177051e9a243 Author: Matthew Harmsen <mharmsen@redhat.com> Date: Wed Jan 31 17:01:55 2018 -0700 Enable FIPS ciphers as the new default cipher suites https://pagure.io/dogtagpki/issue/2855 Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37
commit 427edd6d16d7d74bb98bb0cda7c0bf67a4463bb9 Author: Matthew Harmsen <mharmsen@redhat.com> Date: Wed Jan 31 17:01:55 2018 -0700 Enable FIPS ciphers as the new default cipher suites https://pagure.io/dogtagpki/issue/2855 Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37 (cherry picked from commit 8f3700681ea2cbcc3dbe0c768dca177051e9a243)
The external Wiki has been updated to reflect these changes: * http://pki.fedoraproject.org/wiki/SSL
Metadata Update from @mharmsen: - Issue close_status updated to: fixed - Issue set to the milestone: 10.5.5 (was: 10.5) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.5.5-1.fc27
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2975
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.