search

puppetlabs / clj-http-client

HTTP client library wrapping Apache HttpAsyncClient
Apache License 2.0
15 stars 30 forks source link

(PDB-4357) FIPS support via bc-fips jar #79

Closed robdaemon closed 5 years ago

robdaemon commented 5 years ago

Move the bouncycastle jar to the dev profile. This will allow us to specify the bouncycastle jars on the classpath at runtime like we do for logging configuration. At installation time, we can install the FIPS-compliant version of the jars, or the standard versions.

Remove any and all SSLv3 references / tests. FIPS does not allow SSLv3, and the JVM explicitly disables SSLv3. OWASP guidelines specifically state:

SSL/TLS is a collection of protocols. Weaknesses have been identified with earlier SSL protocols, including SSLv2 and SSLv3, hence SSL versions 1, 2, and 3 should not longer be used. The best practice for transport layer protection is to only provide support for the TLS protocols - TLS 1.0, TLS 1.1 and TLS 1.2

Removing the test.sh script in favor of calling lein directly.

Adding CI tests for JDK 8 with and without FIPS.

puppetcla commented 5 years ago

CLA signed by all contributors.

robdaemon commented 5 years ago

depends on puppetlabs/jvm-ssl-utils#87

justinstoller commented 5 years ago

Remove any and all SSLv3 references / tests. FIPS does not allow SSLv3, and the JVM explicitly disables SSLv3. OWASP guidelines specifically state:

I understand that fips does not allow SSLv3, and users shouldn't be using SSLv3 internal to their networks even, though I don't know if we can remove the option to use SSLv3 from non-fips users in the Puppet Platform 6.x series.

Given that, I'm not clear if our SSLv3 tests are doing much more than testing the upstream apache library honors its own configuration (assuming other tests validate that we are generally integrating with the library's configuration objects correctly).

justinstoller commented 5 years ago

I've integrated this, the requisite jvm-ssl-utils changes, and bc-fips libraries into a dev environment of puppetserver and validated all of our clojure based unit and integration tests pass. I'm confident in the changes here from a functional standpoint though I have a few housekeeping nits that I'd like addressed (and addressing some of them may simply require further discussion).

justinstoller commented 5 years ago

Hey @robdaemon we've got a 4.0.0 of clj-parent out that has the jvm-ssl-utils bump in it! If you can work that in here then we can do a 4.1 and announce FIPS support in clj-parent!

robdaemon commented 5 years ago

@justinstoller done!

robdaemon commented 5 years ago

ugh yay new test failures I hadn't seen before, gimme some time today to clean this up more

robdaemon commented 5 years ago

Okay I took JDK 11 testing out of this. Things seem to behave very differently under JDK 11, so that needs to be fixed as a separate story.