We need to rework FIPS mode in Samba

Aleksandar Kostadinov akostadinov at gmail.com
Fri Mar 18 19:00:31 UTC 2022

It is good for samba to have some switch for enabling only secure
algorithms. But I don't think it has to be implemented by the FIPS mode.
Some newer secure ciphers can yet be unaccepted in a FIPS standard. FIPS
doesn't mean highest security. It just means the FIPS standard.

On Fri, Mar 18, 2022 at 8:36 PM Andrew Bartlett <abartlet at samba.org> wrote:

> Correct, Samba can't be FIPS compliant, but we can avoid using known
> poor cryptography not for certification purposes, but for sensible
> 'secure by default' or at least 'can be configured to be sensibly
> secure' design principles.
> Just as you wouldn't offer SSLv3 even when the host is not FIPS-140
> certified.
> Samba's CI system runs on a Ubuntu 20.04 base for the majority of the
> tests (as mentioned, we run a tiny number of tests in a Fedora 35
> environment to test "FIPS mode"), but most importantly the final
> autobuild is under the Ubuntu 20.04 platform, so we should ensure that
> our tests are run there when possible.
> I'm quite disappointed at the "FIPS mode" in GnuTLS is optional in this
> way - also denying any application or administrator the opportunity to
> opt out of weak ciphers on a per-app basis - but that is life.
> Andrew Bartlett
> On Fri, 2022-03-18 at 12:07 +0200, Aleksandar Kostadinov via samba-
> technical wrote:
> > How can samba be FIPS compliant on a non-FIPS compliant operating system?
> > Might be easier to just run the tests in a FIPS compliant environment.
> --
> Andrew Bartlett (he/him)        https://samba.org/~abartlet/
> Samba Team Member (since 2001)  https://samba.org
> Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list