puppetlabs / puppetserver

Server automation framework and application
https://tickets.puppetlabs.com/browse/SERVER
Apache License 2.0
294 stars 236 forks source link

FIPS 140-3 Support RHEL 9 #2850

Open GrifKies opened 6 months ago

GrifKies commented 6 months ago

Use Case

For government use, puppetserver needs to operate in fips mode for rhel 9. This would impact the customer base. Mainly, I would like to know a timeline for fips 140-3 support so I can talk to my engineers about incorporating it into our environment.

Describe Alternatives You've Considered

Turning off Fips. Main reason I think that is not a permanent workaround is most government customers want to use puppet to improve their scores, but I think would he scared off by the fips issues.

justinstoller commented 5 months ago

Hello, @GrifKies we use BouncyCastle in our enterprise product (which I believe has FIPS 140-2 support for RHEL 7 & 8). We will support FIPS 140-3 shortly after BC does so. It looks like they have submitted their 2.0 FIPS jar for FIPS 140-3 certification and it is in pre-release. I'm unclear if we'll be able to take up the 2.0 jar when it released or will need to wait for the 1.x series to be certified (which their website says they are also working on).

Sorry, I can't provide better timelines than that. I expect it to be in the next year, but I don't have any inside information to BouncyCastle's timeline.

pmcclammer commented 2 months ago

Hello, we would like to understand the product roadmap for FIPS 140-3 support now that the certificate for BC 1.02.4 is Historical (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4616) and the BC 2.0 certificate is Active (https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4743). There does not appear to be a validated BC 1.0.2.5 available on bouncycastle.org.

We need a current vendor statement for the POAM that is now required to continue using the product for government purposes. I apologize in advance if there is existing documentation on the matter. I was not able to find anything.

pmcclammer commented 2 months ago

As this is the public Puppet Server repository, I also posted my inquiry to the Puppet Enterprise team since the repository and issues are internally maintained. Any information is useful to us at this time.