Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using azure-sdk-for-python for Government security FIPS compliance #24240

Closed
iotmani opened this issue Apr 29, 2022 · 7 comments
Closed

Using azure-sdk-for-python for Government security FIPS compliance #24240

iotmani opened this issue Apr 29, 2022 · 7 comments
Assignees
@mikeharder @xiangyan99
Labels
Azure.Core customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@iotmani
Copy link

iotmani commented Apr 29, 2022

Hello,

[I was directed by Azure support case 2204280010000006 to open a GitHub issue for this].

I have a question regarding the azure-sdk-for-python, we use the clients in there to fetch millions of metrics per minute from Azure for us as well as on behalf of our customers.

We're in the process of doing an audit for FIPS 140-2 compliance, and want to confirm if the Python SDK Client code makes FIPS compliant connections to Azure (e.g. TLS 1.2+, and if possible which version at a minimum we should be using in order to be FIPS 140-2 compliant.

This might be a question for the Engineering Azure Python SDK team which maintains the open-source repository https://github.com/Azure/azure-sdk-for-python.

Note that the scope is only the connection between the SDK Client and Azure endpoints is what's at interest here, not whether services within Azure are or are not FIPS 140-2 compliant.

Thanks in advance,
I.O.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Apr 29, 2022
@azure-sdk
Copy link
Collaborator

Label prediction was below confidence level 0.6 for Model:ServiceLabels: 'Docs:0.10000186,Azure.Core:0.0611055,Compute:0.053724825'

@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Apr 29, 2022
@tjprescott
Copy link
Member

Hi @iotmani that's a great question. @xiangyan99 can you look into this?

@xiangyan99
Copy link
Member

Are you asking if our SDK libraries can work under FIPS mode?

Could you tell us which libraries are you using?

My understanding is that FIPS mode needs to be enabled at the OpenSSL level.

Most libraries should continue to work.

But some of our libraries make OpenSSL part of the package we ship (e.g. uAMQP) hence they will not work under FIPS mode.

@xiangyan99 xiangyan99 added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Apr 29, 2022
@iotmani
Copy link
Author

iotmani commented May 4, 2022
edited
Loading

Hello @xiangyan99,
Thanks for the response.

Yes I'm wondering whether they'd work in FIPS mode or at the least if TLS >=1.2 is used when it's supported (which looks to be the case as requests picks the best one supported by the management.azure.com server for API calls).

To my knowledge, none of the packages we use come with their own OpenSSL libraries, but please do correct me if I'm wrong:

azure-common
azure-core
azure-identity
azure-mgmt-costmanagement
azure-mgmt-compute
azure-mgmt-monitor
azure-mgmt-network
azure-mgmt-resourcegraph
azure-mgmt-sql
azure-mgmt-storage
azure-mgmt-web
azure-storage-blob
msrestazure

Regards,
IO.

@ghost ghost added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels May 4, 2022
@xiangyan99
Copy link
Member

Thank you for the information @iotmani .

You are right. None of the libraries has OpenSSL baked into the package.

They work with TLS >= 1.2. (To clarify, they don't require TLS >= 1.2. If both service and OS support TLS >= 1.2, they will use TLS 1.2 automatically).

@xiangyan99 xiangyan99 added the issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. label May 4, 2022
@ghost
Copy link

ghost commented May 4, 2022

Hi @iotmani. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text “/unresolve” to remove the “issue-addressed” label and continue the conversation.

@ghost ghost removed the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label May 4, 2022
@iotmani
Copy link
Author

iotmani commented May 5, 2022

Excellent, thanks very much!

@iotmani iotmani closed this as completed May 5, 2022
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mikeharder mikeharder

@xiangyan99 xiangyan99

Labels
Azure.Core customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@iotmani @tjprescott @mikeharder @xiangyan99 @azure-sdk @tasherif-msft