We need to rework FIPS mode in Samba

[Andrew Bartlett]

Correct, Samba can't be FIPS compliant, but we can avoid using known
poor cryptography not for certification purposes, but for sensible
'secure by default' or at least 'can be configured to be sensibly
secure' design principles. 

Just as you wouldn't offer SSLv3 even when the host is not FIPS-140
certified.

Samba's CI system runs on a Ubuntu 20.04 base for the majority of the
tests (as mentioned, we run a tiny number of tests in a Fedora 35
environment to test "FIPS mode"), but most importantly the final
autobuild is under the Ubuntu 20.04 platform, so we should ensure that
our tests are run there when possible.

I'm quite disappointed at the "FIPS mode" in GnuTLS is optional in this
way - also denying any application or administrator the opportunity to
opt out of weak ciphers on a per-app basis - but that is life.

Andrew Bartlett

On Fri, 2022-03-18 at 12:07 +0200, Aleksandar Kostadinov via samba-
technical wrote:
> How can samba be FIPS compliant on a non-FIPS compliant operating system?
> Might be easier to just run the tests in a FIPS compliant environment.

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba