Hi Steve,
On Mon, 2021-04-19 at 19:08 +0000, Steve Reed via FreeIPA-users wrote:
Hi Stephen,
True. I understand that, but I think we are getting off track to my
original question. Can you run a FIPS FreeIPA server and still have
the clients work with it? It't not necessarily required to have the
clients FIPS compliant, but the server must since it has to do the
encryption for data that it stores.
Yes you can run a server in FIPS mode, and clients will generally talk
to it just fine. FIPS mode in RHEL simply reduces the set of available
algorithms,so clients have less to chose from but will work just fine.
The caveat is if you have non-RHEL clients that are either very old, or
somewhat "special", and support only a subset of (old/different)
algorithms that are not supported by the server in FIPs mode.
So the answer is generally "yes with some caveats".
Note that this caveats are also valid in general for running on RHEL
where we apply somewhat stringent crypto policies to avoid old and weak
protocols by default.
And I appreciate that everyone is trying to save me some time, but
it
has been decided that we will use FIPS unless it proves not
beneficial.
Just a note for everyone looking at this thread.
FIPS mode can be used at any time without restriction, so you are
welcome to use it. Many chose to use FIPS mode to make sure only tested
and approved algorithms are used.
However, FIPS compliance is technically possible only with certified
modules. And Red Hat certifies exclusively RHEL binary builds (I know
because I do that). You can check the certificates on the CMVP website
and the related Security Policy documents for more details.
CentOS (or any other rebuild) builds are not covered by Red Hat
Certificates and I am not aware of anyone else certifying CentOS
binaries either.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc