[Pacemaker] Building pacemaker without gnutls

Ken Gaillot kjgaillo at gleim.com
Mon Aug 11 02:33:55 CEST 2014


On 8/10/14 7:24 PM, Andrew Beekhof wrote:
> On 10 Aug 2014, at 7:10 pm, Oren <theoren28 at hotmail.com> wrote:
>
>> Hi,
>> Can you support pacemaker without gnutls as it is not FIPS compliant?
>
> Its not?
>
>> This dependency may be replaced by openssl, with a configure flag to control
>> this.
>
> We'll certainly consider a patch that did this.
> I don't know enough about openSSL to create it though.

FYI this is nontrivial. The FIPS-certified OpenSSL is not the one 
normally distributed; applications (pacemaker in this case) have to be 
able to use a special, source-only OpenSSL component as-is, with not the 
slightest modification to the source or its build process. Woe unto them 
who need to change a single character:

    "New FIPS 140-2 validations (of any type) are slow (6-12 months is 
typical), expensive (US$50,000 is probably typical for an uncomplicated 
validation), and unpredictable (completion dates are not only uncertain 
when first beginning a validation, but remain so during the process)."

    https://www.openssl.org/docs/fips/fipsnotes.html

The payoff is access to U.S. government contracts, if you're into that 
sort of thing.

Ironically, the FIPS-certified OpenSSL can be considered less secure 
than the uncertified version, because due to the nature of 
certification, bugs and holes get patched much more slowly:

 
https://blog.bit9.com/2012/04/23/fips-compliance-may-actually-make-openssl-less-secure/

-- Ken Gaillot <kjgaillo at gleim.com>
    Gleim NOC



More information about the Pacemaker mailing list