Jenkins Core and Plugins VS FIPS 140-2

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Jenkins Core and Plugins VS FIPS 140-2

Илья Гуляев
Hi all,
I want to add support of FIPS 140-2 to Jenkins Core and some plugins.

BouncyCastle Security provider used in Jenkins has FIPS version.
https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf

I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
  • Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
Suggested solution:
Change
KeyStore.getInstance("JKS");
to
KeyStore.getInstance(KeyStore.getDefaultType());

  • Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
It can be 2 solutions:
1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
Example:
if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
}
2. Add the flag for FIPS mode, which should be used in plugins
Example:
if (isFipsMode()) {
    Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
} else {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); 
}

What do you think about that change? What you can suggest?
I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Core and Plugins VS FIPS 140-2

Matt Sicker
I think it'll require a bit more patching than just that. What about
all the plugins and Jenkins core code that requests non-FIPS
algorithms? For example, MD5 is still used for some non-security
features, and I wouldn't expect that to be available in a
FIPS-compliant JCE provider.

On the other hand, I'd hope that their JSSE stuff for TLS connections
works fairly transparently which would at least cover the HTTPS and
some Remoting connections.

On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[hidden email]> wrote:

>
> Hi all,
> I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
>
> BouncyCastle Security provider used in Jenkins has FIPS version.
> https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
> https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
> https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf
>
> I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
>
> Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
>
> https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
> Suggested solution:
> Change
> KeyStore.getInstance("JKS");
> to
> KeyStore.getInstance(KeyStore.getDefaultType());
>
> Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
>
> https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
> It can be 2 solutions:
> 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
> Example:
> if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
>     Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> }
> 2. Add the flag for FIPS mode, which should be used in plugins
> Example:
> if (isFipsMode()) {
>     Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
> } else {
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> }
>
> What do you think about that change? What you can suggest?
> I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oz-f6BSRnHtgTu3WGdNCoAg7SkRUSX-H7UhPS%3Dgx65spQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Core and Plugins VS FIPS 140-2

Илья Гуляев
I've done several PR in Jenkins Core and Remoting:
https://github.com/jenkinsci/jenkins/pull/5266
https://github.com/jenkinsci/remoting/pull/435

Also, I've added change to kubernetes-client used in several plugins:
https://github.com/fabric8io/kubernetes-client/pull/2788

At least the following plugins should bump the version of kubernetes-client after the fix will be released:
https://github.com/jenkinsci/kubernetes-client-api-plugin
https://github.com/jenkinsci/kubernetes-plugin

Now I need suggestions on how to exclude adding BouncyCastleProvider time.
https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/InstallBouncyCastleJCAProvider.java
https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/SecurityProviderInitializer.java


пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, [hidden email]:
I think it'll require a bit more patching than just that. What about
all the plugins and Jenkins core code that requests non-FIPS
algorithms? For example, MD5 is still used for some non-security
features, and I wouldn't expect that to be available in a
FIPS-compliant JCE provider.

On the other hand, I'd hope that their JSSE stuff for TLS connections
works fairly transparently which would at least cover the HTTPS and
some Remoting connections.

On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[hidden email]> wrote:

>
> Hi all,
> I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
>
> BouncyCastle Security provider used in Jenkins has FIPS version.
> https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
> https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
> https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf
>
> I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
>
> Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
>
> https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
> Suggested solution:
> Change
> KeyStore.getInstance("JKS");
> to
> KeyStore.getInstance(KeyStore.getDefaultType());
>
> Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
>
> https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
> It can be 2 solutions:
> 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
> Example:
> if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> }
> 2. Add the flag for FIPS mode, which should be used in plugins
> Example:
> if (isFipsMode()) {
> Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
> } else {
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> }
>
> What do you think about that change? What you can suggest?
> I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/aa187189-bb31-43c4-9de9-d53b0f2442a2n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Core and Plugins VS FIPS 140-2

Matt Sicker
I'd imagine a global security configuration option in
bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
work. If that's too late in the initialization process, then a system
property to allow overriding which BC provider to use may be more
appropriate.

I also have a concern about data migration for any encrypted stored
data if it needs to change algorithms, but that might not be a problem
depending on which AES modes are still allowed in FIPS. For that area,
there's the ConfidentialStore API in Jenkins core along with
hudson.util.Secret (which uses that store API), some encryption code
in credentials plugin for certificate credentials support, and some
encryption code in ssh-credentials plugin for supporting different key
formats (FIPS requires use of PKCS12 private keys, not the OpenSSH
format, so you may need to add support there if you're using SSH,
too).

On Fri, Feb 5, 2021 at 9:52 AM Илья Гуляев <[hidden email]> wrote:

>
> I've done several PR in Jenkins Core and Remoting:
> https://github.com/jenkinsci/jenkins/pull/5266
> https://github.com/jenkinsci/remoting/pull/435
>
> Also, I've added change to kubernetes-client used in several plugins:
> https://github.com/fabric8io/kubernetes-client/pull/2788
>
> At least the following plugins should bump the version of kubernetes-client after the fix will be released:
> https://github.com/jenkinsci/kubernetes-client-api-plugin
> https://github.com/jenkinsci/kubernetes-plugin
>
> Now I need suggestions on how to exclude adding BouncyCastleProvider time.
> https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/InstallBouncyCastleJCAProvider.java
> https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/SecurityProviderInitializer.java
>
>
> пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, [hidden email]:
>>
>> I think it'll require a bit more patching than just that. What about
>> all the plugins and Jenkins core code that requests non-FIPS
>> algorithms? For example, MD5 is still used for some non-security
>> features, and I wouldn't expect that to be available in a
>> FIPS-compliant JCE provider.
>>
>> On the other hand, I'd hope that their JSSE stuff for TLS connections
>> works fairly transparently which would at least cover the HTTPS and
>> some Remoting connections.
>>
>> On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[hidden email]> wrote:
>> >
>> > Hi all,
>> > I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
>> >
>> > BouncyCastle Security provider used in Jenkins has FIPS version.
>> > https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
>> > https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
>> > https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf
>> >
>> > I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
>> >
>> > Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
>> >
>> > https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
>> > Suggested solution:
>> > Change
>> > KeyStore.getInstance("JKS");
>> > to
>> > KeyStore.getInstance(KeyStore.getDefaultType());
>> >
>> > Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
>> >
>> > https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
>> > It can be 2 solutions:
>> > 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
>> > Example:
>> > if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
>> > Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>> > }
>> > 2. Add the flag for FIPS mode, which should be used in plugins
>> > Example:
>> > if (isFipsMode()) {
>> > Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
>> > } else {
>> > Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>> > }
>> >
>> > What do you think about that change? What you can suggest?
>> > I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/aa187189-bb31-43c4-9de9-d53b0f2442a2n%40googlegroups.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxAGBtD3Q3B9r%2BO_RiWAnaTamYBVQqEkBf1%3Dhz_YuNZGQ%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Core and Plugins VS FIPS 140-2

Илья Гуляев
In reply to this post by Matt Sicker
> I think it'll require a bit more patching than just that. What about
> all the plugins and Jenkins core code that requests non-FIPS
> algorithms? For example, MD5 is still used for some non-security
> features, and I wouldn't expect that to be available in a
> FIPS-compliant JCE provider.

As I know MD5 still can be used for not-security features.
I'm sure that issue is more complex than removing JKS and add a security provider. But this is a prerequisite for FIPS support.
Suggested changes will allow to run Jenkins with BouncyCastleFipsProvider, find unapproved algorithms in Jenkins Core and plugins.
After that maintainers can find other issues with FIPS and decide to support FIPS mode or not.


Thanks,
Ilya Gulyaev

пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, [hidden email]:
I think it'll require a bit more patching than just that. What about
all the plugins and Jenkins core code that requests non-FIPS
algorithms? For example, MD5 is still used for some non-security
features, and I wouldn't expect that to be available in a
FIPS-compliant JCE provider.

On the other hand, I'd hope that their JSSE stuff for TLS connections
works fairly transparently which would at least cover the HTTPS and
some Remoting connections.

On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <guly...@...> wrote:

>
> Hi all,
> I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
>
> BouncyCastle Security provider used in Jenkins has FIPS version.
> https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
> https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
> https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf
>
> I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
>
> Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
>
> https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
> Suggested solution:
> Change
> KeyStore.getInstance("JKS");
> to
> KeyStore.getInstance(KeyStore.getDefaultType());
>
> Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
>
> https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
> It can be 2 solutions:
> 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
> Example:
> if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> }
> 2. Add the flag for FIPS mode, which should be used in plugins
> Example:
> if (isFipsMode()) {
> Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
> } else {
> Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
> }
>
> What do you think about that change? What you can suggest?
> I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@....
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/64db0947-275e-4ab3-8f4d-2234b46c246an%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Jenkins Core and Plugins VS FIPS 140-2

Илья Гуляев
In reply to this post by Matt Sicker
> I'd imagine a global security configuration option in
> bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
> work. If that's too late in the initialization process, then a system
> property to allow overriding which BC provider to use may be more
> appropriate.

You are right!
In my test Jenkins installation (with self-compiled changes in core and plugins), I've added BouncyCastleFipsProvider to java.security file.
Maybe it will be better to disable adding BouncyCastleProvider in case if any of Bouncy Castle providers (simple or FIPS) already exists?

Also, I've tested ConfidentialStore API in Jenkins with FIPS mode, and simple credentials like username:password and secret text work without any changes. This means that the used AES algorithm is approved for FIPS.
I'm not using SSH plugins, but they can be updated, too.
пятница, 5 февраля 2021 г. в 19:00:00 UTC+3, [hidden email]:
I'd imagine a global security configuration option in
bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
work. If that's too late in the initialization process, then a system
property to allow overriding which BC provider to use may be more
appropriate.

I also have a concern about data migration for any encrypted stored
data if it needs to change algorithms, but that might not be a problem
depending on which AES modes are still allowed in FIPS. For that area,
there's the ConfidentialStore API in Jenkins core along with
hudson.util.Secret (which uses that store API), some encryption code
in credentials plugin for certificate credentials support, and some
encryption code in ssh-credentials plugin for supporting different key
formats (FIPS requires use of PKCS12 private keys, not the OpenSSH
format, so you may need to add support there if you're using SSH,
too).

On Fri, Feb 5, 2021 at 9:52 AM Илья Гуляев <[hidden email]> wrote:

>
> I've done several PR in Jenkins Core and Remoting:
> https://github.com/jenkinsci/jenkins/pull/5266
> https://github.com/jenkinsci/remoting/pull/435
>
> Also, I've added change to kubernetes-client used in several plugins:
> https://github.com/fabric8io/kubernetes-client/pull/2788
>
> At least the following plugins should bump the version of kubernetes-client after the fix will be released:
> https://github.com/jenkinsci/kubernetes-client-api-plugin
> https://github.com/jenkinsci/kubernetes-plugin
>
> Now I need suggestions on how to exclude adding BouncyCastleProvider time.
> https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/InstallBouncyCastleJCAProvider.java
> https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/SecurityProviderInitializer.java
>
>
> пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, [hidden email]:
>>
>> I think it'll require a bit more patching than just that. What about
>> all the plugins and Jenkins core code that requests non-FIPS
>> algorithms? For example, MD5 is still used for some non-security
>> features, and I wouldn't expect that to be available in a
>> FIPS-compliant JCE provider.
>>
>> On the other hand, I'd hope that their JSSE stuff for TLS connections
>> works fairly transparently which would at least cover the HTTPS and
>> some Remoting connections.
>>
>> On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[hidden email]> wrote:
>> >
>> > Hi all,
>> > I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
>> >
>> > BouncyCastle Security provider used in Jenkins has FIPS version.
>> > https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
>> > https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
>> > https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf
>> >
>> > I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
>> >
>> > Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
>> >
>> > https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
>> > Suggested solution:
>> > Change
>> > KeyStore.getInstance("JKS");
>> > to
>> > KeyStore.getInstance(KeyStore.getDefaultType());
>> >
>> > Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
>> >
>> > https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
>> > It can be 2 solutions:
>> > 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
>> > Example:
>> > if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
>> > Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>> > }
>> > 2. Add the flag for FIPS mode, which should be used in plugins
>> > Example:
>> > if (isFipsMode()) {
>> > Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
>> > } else {
>> > Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
>> > }
>> >
>> > What do you think about that change? What you can suggest?
>> > I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.
>>
>>
>>
>> --
>> Matt Sicker
>> Senior Software Engineer, CloudBees
>
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/aa187189-bb31-43c4-9de9-d53b0f2442a2n%40googlegroups.com.



--
Matt Sicker
Senior Software Engineer, CloudBees

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/cfcd1005-b451-4cf0-8e64-1c0126d22a7an%40googlegroups.com.