(I checked the issues and didn't see anything similar)

I would like to know, now that Redis has TLS support, if the encryption algorithms are compliant with the FIPS 140-2 specifications. I see that other infrastructure solutions have fips mode setting that allows limiting the cyphers used. Others allow selecting a list of cyphers. Is there anything similar in Redis?

Comment From: yossigo

You can configure ciphers explicitly with tls-ciphers (for TLS <= 1.2) and tls-ciphersuites (for TLS 1.3 if supported by your OpenSSL).

Usually FIPS compliance involves using a compliant version of OpenSSL and sometimes additional system wide settings, with little to no additional impact on applications (at least as long as they don't roll additional crypto operations other than plain TLS).

Comment From: javsalgar

Hi,

Thank you very much! That's the information I required :)

Comment From: dmitrypol

this might be a silly question but is TLS_CHACHA20_POLY1305_SHA256 FIPS 140-2 compliant? And if not, is it possible to use different ciphersuites with Redis by modifying tls-ciphersuites in redis.conf? Can't find any definitive answers online.

Comment From: yossigo

@dmitrypol I believe not, but please note that FIPS 140-2 compliance goes well beyond what ciphersuites you use but also depend on what version of OpenSSL you use and how you configure it.

All of this does not concern Redis which uses whatever OpenSSL you build/dynamically link against. You may use tls-ciphersuites or tls-ciphers to manage this configuration. You should consult OpenSSL documentation for more information.

Comment From: javsalgar

Hi!

I have another question. Checking this:

https://redis.io/topics/acl

How passwords are stored internally

Redis internally stores passwords hashed with SHA256, if you set a password and check the output of ACL LIST or GETUSER you'll see a long hex string that looks pseudo random. Here is an example, because in the previous examples, for the sake of brevity, the long hex string was trimmed:

As far as I know, sha256 digests are forbidden in FIPS. For example, in another application I get errors like this

OpenSSL internal error, assertion failed: Low level API call to digest SHA256 forbidden in FIPS mode!

Could you confirm what's the use of sha256 in Redis?

Comment From: javsalgar

Any chance to check this @yossigo?

Comment From: yossigo

@javsalgar This is correct, when ACL users are created with hashed passwords, SHA-256 is used. When that design was created, it was trading security for performance by avoiding PBKDF* or similar proof-of-work oriented algorithms.

Comment From: Kauef

@yossigo hi, do you know if there is a way around for the acl file?

Comment From: yossigo

@Kauef Currently it is not possible.