Last active
September 2, 2020 14:28
-
-
Save haproxytechblog/5a3a0225ab4fda8b947671bf5fe55848 to your computer and use it in GitHub Desktop.
Become FIPS Compliant with HAProxy Enterprise on Red Hat Enterprise Linux 8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ openssl version | |
OpenSSL 1.1.1c FIPS 28 May 2019 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo fips-mode-setup --check | |
Installation of FIPS modules is not completed. | |
FIPS mode is disabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo fips-mode-setup --enable | |
Kernel initramdisks are being regenerated. This might take some time. | |
Setting system policy to FIPS | |
Note: System-wide crypto policies are applied on application start-up. | |
It is recommended to restart the system for the change of policies to fully take place. | |
FIPS mode will be enabled. | |
Please reboot the system for the settings to take effect. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo fips-mode-setup --check | |
FIPS mode is enabled. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ openssl md5 /dev/null | |
Error setting digest | |
139634625394496:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat /proc/sys/crypto/fips_enabled | |
1 | |
$ sysctl crypto.fips_enabled | |
crypto.fips_enabled = 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ update-crypto-policies --show | |
FIPS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend fe_main | |
bind :80 | |
bind :443 ssl crt /etc/hapee-2.1/certs/ssl.pem ssl-min-ver TLSv1.2 ciphers PROFILE=SYSTEM ciphersuites PROFILE=SYSTEM | |
http-request redirect scheme https unless { ssl_fc } | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ sudo systemctl restart hapee-2.1-lb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ openssl ciphers PROFILE=SYSTEM | |
# List of algorithms is displayed… |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment