Damian Wallace opened 6 years ago
|
|
Tigase cannot use OpenSSL module. It can use only Java Cryptography Extension (JCE) (free or commercial) like Bouncycastle (we have to add configuration option for that). But if non standard JCE is configured as default in VM, then it should be used by Tigase without additional configuration. |
|
Thank you. From the statement "We have to add configuration option" I understand that this new code to support this, or does this option exist today for us to start experiementation? |
|
Sorry for delayed response. To be honest the FIPS stuff was quite new to me, so I had to learn and dive into the topic before responding. However, it looks like I have good news. Although Tigase (Java) cannot easily use OpenSSL for FIPS compliance, the good news is that Java itself supports FIPS 140-2 mode out of the box. Which means, Tigase, most likely does support it as well out of the box. So, it looks like, Tigase can be run in FIPS compliant mode even without using OpenSSL. I am saying "most likely" because this is something we have not tested before, so we would need to check it out before giving you a definite answer. But this is something, which is enabled on the Java level, therefore, I am pretty sure it will work. Please check with your client if running Java with FIPS compliance mode is good enough for them, or they really need to use OpenSSL for this. If you confirm than Java with FIPS compliance mode is good enough, we can run tests to confirm that Tigase handles it correctly. Quick search on the internet returns this link on how to enable FIPS compliance mode in Java: https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm#SECMG770 |
|
Thank you. We'll revert with this for now, and discuss with our FIPS consultant. Please close ticket. On 11/27/18, 2:55 PM, "support@tigase.net" support@tigase.net wrote: |
Type |
New Feature
|
Priority |
Normal
|
Assignee | |
RedmineID |
8345
|
Version |
tigase-server-7.1.3
|
https://www.openssl.org/docs/fips.html.
We have some large opportunities that ask that we support the use of this openSSL version for FIPS compliance (not certification). Is there a configuration option or other method to use this binary? I have noted that ejabberd (in ProcessOne) and MongooseIM has this function, and they are the competition for a lot of these asks. As you do not appear in the NIST registry, I am assuming that Tigase has never done a FIPS certification.
I've read up on some posts on your site, and the forums (https://tigase.tech/boards/15/topics/5044-need-information-regarding-the-tigase-xmpp-libraries-that-whether-its-supports-s2s-integration-communication_) but it appears unclear.