honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use BCFIPS 1.0.2 in our CI (#63116) 

Bouncy Castle's BC-FJA-1.0.2 has been certified for a while now
but we had noticed that it seems to be rather entropy hungry and
ES would start very slowly ( and tests would take forever )
because of blocking calls to /dev/random.

We verified that this is resolved when enabling hw RNG or a
software one like haveged. While rng-tools should be suggested for
production uses, our ephemeral workers have haveged installed
which should work just fine for CI.

Backport of 63099
This commit is contained in:
Ioannis Kakavas 2020-10-01 14:48:53 +03:00 committed by GitHub
parent c2992ea287
commit 2ea3073a5e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
buildSrc/src/main/resources/fips_java_bcjsse_11.security
View File

@ -1,6 +1,6 @@
# Security Properties for JDK 11 and higher, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in FIPS mode
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
security.provider.4=SunJGSS

2
buildSrc/src/main/resources/fips_java_bcjsse_8.security
View File

@ -1,6 +1,6 @@
# Security Properties for JDK 8, with BouncyCastle FIPS provider and BouncyCastleJsseProvider in FIPS mode
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.jgss.SunProvider

2
buildSrc/src/main/resources/fips_java_sunjsse.security
View File

@ -1,6 +1,6 @@
# Security Properties for JDK 8, with BouncyCastle FIPS provider and SunJSSE in FIPS mode
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider C:HYBRID;ENABLE{All};
security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
security.provider.3=sun.security.provider.Sun
security.provider.4=sun.security.jgss.SunProvider

2
gradle/fips.gradle
View File

@ -25,7 +25,7 @@ if (BuildParams.inFipsJvm) {
fipsPolicy = new File(fipsResourcesDir, "fips_java_bcjsse_11.policy")
}
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.1')
def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2')
def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.9')
pluginManager.withPlugin('java') {