Hello,
For many years now we have been offering Rust plugins, and for those that build the server themselves it was possible to disable Rust if it was not wanted. This is no longer going to be an option starting in the next release of 389-ds-base-2.2 (On Fedora 37). We are upgrading the default password storage schema to the Rust password storage scheme PBKDF2_SHA256 for its improved security and performance over the C/NSS version (PBKDF2-SHA256). We are also going to be incorporating Rust into core parts of the server. So leaving Rust optional is no longer going to be an option.
Sorry for the inconvenience this will impose on people not wanting to build with Rust, but this is the direction we are moving in with the 389 project.
Feel free to ask any questions or voice concerns over this change, and we will do our best to address them.
Sincerely,
How are you going to handle the FIPS build issues surrounding Rust right now?
Are all crypto libraries going to build against the underlying OpenSSL (or something else certified)?
Thanks,
Trevor
On Tue, Aug 23, 2022 at 9:53 AM Mark Reynolds mareynol@redhat.com wrote:
Hello,
For many years now we have been offering Rust plugins, and for those that build the server themselves it was possible to disable Rust if it was not wanted. This is no longer going to be an option starting in the next release of 389-ds-base-2.2 (On Fedora 37). We are upgrading the default password storage schema to the Rust password storage scheme PBKDF2_SHA256 for its improved security and performance over the C/NSS version (PBKDF2-SHA256). We are also going to be incorporating Rust into core parts of the server. So leaving Rust optional is no longer going to be an option.
Sorry for the inconvenience this will impose on people not wanting to build with Rust, but this is the direction we are moving in with the 389 project.
Feel free to ask any questions or voice concerns over this change, and we will do our best to address them.
Sincerely,
-- Directory Server Development Team _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 8/23/22 9:58 AM, Trevor Vaughan wrote:
How are you going to handle the FIPS build issues surrounding Rust right now?
Are all crypto libraries going to build against the underlying OpenSSL (or something else certified)?
Correct all the Rust password storage scheme plugins use OpenSSL (not NSS), so we don't have these issues anymore.
FYI we were able to get the NSS PBKDF2 version working in FIPS (in very recent versions), but the Rust version is much better and more secure.
Thanks, Mark
Thanks,
Trevor
On Tue, Aug 23, 2022 at 9:53 AM Mark Reynolds mareynol@redhat.com wrote:
Hello, For many years now we have been offering Rust plugins, and for those that build the server themselves it was possible to disable Rust if it was not wanted. This is no longer going to be an option starting in the next release of 389-ds-base-2.2 (On Fedora 37). We are upgrading the default password storage schema to the Rust password storage scheme PBKDF2_SHA256 for its improved security and performance over the C/NSS version (PBKDF2-SHA256). We are also going to be incorporating Rust into core parts of the server. So leaving Rust optional is no longer going to be an option. Sorry for the inconvenience this will impose on people not wanting to build with Rust, but this is the direction we are moving in with the 389 project. Feel free to ask any questions or voice concerns over this change, and we will do our best to address them. Sincerely, -- Directory Server Development Team _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Trevor Vaughan Vice President, Onyx Point (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
389-users mailing list --389-users@lists.fedoraproject.org To unsubscribe send an email to389-users-leave@lists.fedoraproject.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
Awesome, thanks for the info!
Trevor
On Tue, Aug 23, 2022 at 10:17 AM Mark Reynolds mareynol@redhat.com wrote:
On 8/23/22 9:58 AM, Trevor Vaughan wrote:
How are you going to handle the FIPS build issues surrounding Rust right now?
Are all crypto libraries going to build against the underlying OpenSSL (or something else certified)?
Correct all the Rust password storage scheme plugins use OpenSSL (not NSS), so we don't have these issues anymore.
FYI we were able to get the NSS PBKDF2 version working in FIPS (in very recent versions), but the Rust version is much better and more secure.
Thanks, Mark
Thanks,
Trevor
On Tue, Aug 23, 2022 at 9:53 AM Mark Reynolds mareynol@redhat.com wrote:
Hello,
For many years now we have been offering Rust plugins, and for those that build the server themselves it was possible to disable Rust if it was not wanted. This is no longer going to be an option starting in the next release of 389-ds-base-2.2 (On Fedora 37). We are upgrading the default password storage schema to the Rust password storage scheme PBKDF2_SHA256 for its improved security and performance over the C/NSS version (PBKDF2-SHA256). We are also going to be incorporating Rust into core parts of the server. So leaving Rust optional is no longer going to be an option.
Sorry for the inconvenience this will impose on people not wanting to build with Rust, but this is the direction we are moving in with the 389 project.
Feel free to ask any questions or voice concerns over this change, and we will do our best to address them.
Sincerely,
-- Directory Server Development Team _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Trevor Vaughan Vice President, Onyx Point (410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- Directory Server Development Team
On 24 Aug 2022, at 00:17, Mark Reynolds mareynol@redhat.com wrote:
On 8/23/22 9:58 AM, Trevor Vaughan wrote:
How are you going to handle the FIPS build issues surrounding Rust right now?
Are all crypto libraries going to build against the underlying OpenSSL (or something else certified)?
Correct all the Rust password storage scheme plugins use OpenSSL (not NSS), so we don't have these issues anymore.
FYI we were able to get the NSS PBKDF2 version working in FIPS (in very recent versions), but the Rust version is much better and more secure.
The other improvement of the OpenSSL version of PBKDF2 vs the NSS version, is that the NSS version uses a slower PBKDF2 construction which more than halves the number of rounds we can do which limits the ability to improve memory/time hardness on the password checks. So being able to use the OpenSSL version, which also benefits from being written in a memory safe language is fantastic to improve password handling security :)
So I'm very excited about this change and that it will be a default soon :)
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
389-users@lists.fedoraproject.org