Closed robdaemon closed 5 years ago
CLA signed by all contributors.
depends on puppetlabs/jvm-ssl-utils#87
Remove any and all SSLv3 references / tests. FIPS does not allow SSLv3, and the JVM explicitly disables SSLv3. OWASP guidelines specifically state:
I understand that fips does not allow SSLv3, and users shouldn't be using SSLv3 internal to their networks even, though I don't know if we can remove the option to use SSLv3 from non-fips users in the Puppet Platform 6.x series.
Given that, I'm not clear if our SSLv3 tests are doing much more than testing the upstream apache library honors its own configuration (assuming other tests validate that we are generally integrating with the library's configuration objects correctly).
I've integrated this, the requisite jvm-ssl-utils changes, and bc-fips libraries into a dev environment of puppetserver and validated all of our clojure based unit and integration tests pass. I'm confident in the changes here from a functional standpoint though I have a few housekeeping nits that I'd like addressed (and addressing some of them may simply require further discussion).
Hey @robdaemon we've got a 4.0.0 of clj-parent out that has the jvm-ssl-utils bump in it! If you can work that in here then we can do a 4.1 and announce FIPS support in clj-parent!
@justinstoller done!
ugh yay new test failures I hadn't seen before, gimme some time today to clean this up more
Okay I took JDK 11 testing out of this. Things seem to behave very differently under JDK 11, so that needs to be fixed as a separate story.
Move the bouncycastle jar to the dev profile. This will allow us to specify the bouncycastle jars on the classpath at runtime like we do for logging configuration. At installation time, we can install the FIPS-compliant version of the jars, or the standard versions.
Remove any and all SSLv3 references / tests. FIPS does not allow SSLv3, and the JVM explicitly disables SSLv3. OWASP guidelines specifically state:
Removing the test.sh script in favor of calling lein directly.
Adding CI tests for JDK 8 with and without FIPS.