FIPS Compliance

I would like to open a discussion forum on helping OpenZiti’s encryption methodologies ensure FIPS compliance so it will be easier to adopt within the US Federal and DoD spaces.

There is a supported FIPS-compliant SSL library, WolfSSL (https://www.wolfssl.com/) that may accelerate this. One idea I had was to enable a configuration where a user could Bring Your Own License (BYOL) of WolfSSL and set a configuration flag to point to the SSL library to be used?

Additionally I believe that there is a way to make OpenSSL FIPS compliant or run with a FIPS compliant OpenSSL that would eliminate the need to depend on a paid / supported vendor product?

Thanks!

This is exactly our plan. The OpenSSL FIPS compliance is cumbersome at best, requiring a very significant configuration that is less than optimal to meet the needs. We have had discussions with Wolf, and have done our technical due diligence, resulting in a clear line of sight to providing a Ziti version with FIPS 140-3 compliant modules, and even the full certificate (Hardware solution coupled with apps, etc.) if necessary, utilizing the Wolf process of adding it to their existing certificate for speed. The investment in time and resources hinges on a market driven need. This would not be an Open Source piece, since it would contain proprietary software from Wolf. If you have a potential use case that would require it, please get in touch with our Business Development team, and start a conversation.

Hello Mike:

We discussed on our side this morning and we’re going to take some stabs at this as we’ve been working FIPS implementation for a few years now on various open source stacks. Our current FIPS environment looks like this:

• FIPS-enabled Operating System (RHEL 8 / CentOS Stream 8)
• Running a FIPS-compliant RKE2 Kubernetes Distro (FIPS 140-2 Enablement - RKE2 - Rancher's Next Generation Kubernetes Distribution)
• Running a hardened & FIPS-Enabled docker container
• Running a FIPS-Enabled Go Build of our ziti fork (GitHub - Analytics-HQ/ziti: The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network)

Things we’re looking at is a FIPS-compliant Go version using Google’s BoringSSL

We’ll relay an issues we come across with this and would like to contribute updates back to OpenZiti if possible. Thanks!

Here’s a link to the BoringSSL since I can only post 2 links per post lol

(FIPS compliant crypto in golang | Igor Kupczyński) (boringssl - Git at Google)

Essentially we're building OpenSSL (the current latest - 3.0.7), with the fips module enabled in our Centos 8stream base image. And then enabling it by setting OPENSSL_FIPS=1.

Building a Golang image with the BoringSSL module has been on our roadmap for a while, but other things have taken priority for now.

Seems like a setting I'll look into changing. Thanks for that info... I'll fix it for the future

" newuser max links" is now five!