PDA

View Full Version : Unable to initialize FIPS mode for strongswan in SLES 11 sp



maheshcamath
15-May-2014, 05:59
I'm trying to enable the FIPS mode for IPSec communication with following configurations done in /etc/strongswan.conf


charon {
plugins {

#....
openssl {
fips_mode = 1
}

}
}



Here is my setup config:
-----------------------
OS: SLES 11 sp3

Strongswan version:
/usr/sbin/ipsec version
Linux strongSwan U4.4.0/K3.0.76-0.11-default

I don't see any logs that suggest FIPS mode enablement, even after restarts.

Can you please help me here?

smflood
15-May-2014, 16:57
On 15/05/2014 06:04, maheshcamath wrote:

> I'm trying to enable the FIPS mode for IPSec communication with
> following configurations done in /etc/strongswan.conf
>
>
> charon {
> plugins {
>
> #....
> openssl {
> fips_mode = 1
> }
>
> }
> }
>
>
>
> Here is my setup config:
> -----------------------
> OS: SLES 11 sp3
>
> Strongswan version:
> /usr/sbin/ipsec version
> Linux strongSwan U4.4.0/K3.0.76-0.11-default
>
> I don't see any logs that suggest FIPS mode enablement, even after
> restarts.
>
> Can you please help me here?

Is FIPS mode enabled?

* What does "grep fips /boot/grub/menu.lst" find?
* What does "cat /proc/sys/crypto/fips_enabled" report?

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

maheshcamath
19-May-2014, 10:43
Thanks Simon.

The FIPS mode enabled for Openssl but system wide FIPS mode enablement is not done.

--------------------------------------------
"cat /proc/sys/crypto/fips_enabled" give me 0

"grep fips /boot/grub/menu.lst" lists nothing.
--------------------------------------------

Is systemwide FIPS enablement is manadatory for FIPS mode enablement for IPSec component?

We have the FIPS enabled openssl library as we see below. Isn't this sufficient to attain FIPS mode for IPSec?


prompt > openssl ciphers -v

DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export


prompt > export OPENSSL_FIPS=1

prompt > openssl ciphers -v

DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1



With openssl being FIPS enabled, I'm able to run the SSH sessions to run under FIPS mode today (as I get the following log entry in my /var/log/messages).

sshd[22528]: MD5 not allowed in FIPS 140-2 mode, using SHA-1 for key fingerprints instead.