New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for OpenSSL? #3404
Comments
The answer is almost definitely not, as we are slowly migrating the code to use BoringSSL specific constructs and features. |
cc @PiotrSikora @ggreenway @davidben @tmshort can you also provide some info on why you don't want to use BoringSSL? |
|
@tmshort thx for the info. I will let @davidben and @PiotrSikora comment on BoringSSL FIPS support, but in general would love to understand other missing features so we can make everyone happy with BoringSSL. |
The current version of the BoringSSL FIPS document lists the CMVP certificate number and links to the security policy. Since BoringSSL is open-source, anyone can build and use it as defined in the security policy. (BoringSSL does not need to be dynamically linked to be FIPS compliant.) Some things that are missing in BoringSSL are because we've not had a use for them and could be supported. Some things were affirmatively removed and are unlikely to be supported. But we can give a breakdown if you have a list of your differences. |
Since I don't believe Akamai will switch to BoringSSL, let me answer this from another perspective. We're slowly moving to BoringSSL-specific APIs, so default Envoy's TLS stack is going to use BoringSSL and I don't envision OpenSSL being able to be used as a drop-in replacement for that. However, Envoy has pluggable TransportSocket, which means that there is nothing stopping you from writing standalone OpenSSL-based transport that can be plugged into configuration, similarly to how Envoy-based Istio Proxy supports ALTS. |
@PiotrSikora that's a good point. I suppose we could support an OpenSSL transport socket implementation in the repo, though, I'm not sure if there will be enough community interest to justify adding to the main repo (and the confusion it might cause for what we recommend for most users). |
I'm not sure that you could compile both OpenSSL and BoringSSL into the same executable. I think they would have symbol collisions. |
@ggreenway good point, perhaps we could offer an option to build Envoy without BoringSSL, similarly to how other dependencies be elided. @mattklein123 outside of a few companies that are invested in OpenSSL, I doubt people are going to care enough to have 2 officially supported TLS stacks, and like you said, it's only going to lead to confusion, so I'd suggest that we keep it outside of the main repo (but maybe still under envoyproxy org on GitHub). |
(assuming there is strong enough interest for someone to create and maintain OpenSSL-based |
If you're using OpenSSL as a shared object (which you must for their FIPS build, I believe) then you could make it work with some proxy symbols and a linker script to hide the other symbols from the dynamic exports table. One would need to be careful to use the correct headers in the correct place, however. |
Thanks, @agl, we were unaware of the current FIPS status. It's fairly easy for us to maintain a local BoringSSL repo if needed, and since Envoy won't use the our features (we are slowing pushing them upstream, so as not to overwhelm), we likely won't attempt to maintain them in BoringSSL. |
I'm going to go ahead and close this out as answered. @tmshort feel free to reopen if you want to discuss more about this or have other questions. |
FYI Red Hat are working on switching out BoringSSL for OpenSSL for the same reasons, we are not allowed to ship BoringSSL because of our requirements for FIPS compliance. We would like to have a conversation with any other interested parties and come up with a solution which enables the switch to be made but without forcing the community to switch back to OpenSSL. If you are interested then please reach out to me. |
@tmshort @knrc I am evaluating use of Envoy at Vmware and we have the exact same issues with BoringSSL's certification and would prefer to use OpenSSL. Here are some caveats with the Certified version of BoringSSL:
|
@gdimitrov-vmware There are certainly valid reasons for wanting to use OpenSSL here, but I don't think any that you listed are correct:
|
ECDH is not recommended, certainly. I think the concern may have been ECDHE in FIPS mode (or am I misreading)? This is BoringSSL's current tested configurations (the link is in an @agl post above) :
I'm not sure you can claim any 3.x or 4.x kernels based on this, but only those kernel versions in the given Ubuntu release (e.g. 4.4.0 for Ubuntu 16.04) and also that it only qualifies on the Xeon E5 processor (for those interested in x86_64). My reading of FIPS certifications is that it is a stickler when it comes to tested configurations, and it likely means that any user of Envoy that doesn't match the exact FIPS configuration (of either BoringSSL or OpenSSL) would need their own certification. Given that I might need to get my own certification, I would prefer to do it for one software package on a given OS/processor/compiler combination, rather than two software packages. |
I work with @gdimitrov-vmware ...
I doubt anyone short of BoringCrypto's FIPS submitter could answer whether BoringCrypto is intended to cover ECDHE. I would also guess that if it doesn't, it's unintentional and maybe we'd see some action from BoringCrypto eventually. But the omission of "EC DH Key Agreement" from the FIPS certificate is hard to interpret differently. |
It sounds like you really want to use OpenSSL, and that's ok! But if you want to do a validation of BoringSSL on a different platform then I can give you the contacts for it. We're getting pretty good at it now and, for an already evaluated source-code revision, it should be a doable in a day's work. (At least on the external side, I'm sure the lab has to do a chunk of work too.) As for rendering opinions about operational environments, I can point you to section one of the approved security policy but you would have to contact a CMVP lab for a meaningful opinion for your particular context.
Our customers who drove the FIPS validation had different requirements. However, the 2018 validation (which has been submitted to NIST already) covers “KAS ECC” key agreement in the FIPS module. So that'll be covered by the updated BoringSSL module when that certificate is issued if required. (The KAS ECC was added for a non-FIPS customer requirement that happened to be satisfied by that CAVP certificate. Since we then had the testing wired up anyway, we included it in the 2018 CMVP testing.) |
Brilliant. My "FIPS ECDHE eventually" guess became "FIPS ECDHE already done, the paperwork just isn't approved yet". Made my day, my complements. The complexity of a fixed-hash build and dealing with "other" platforms are substantial, but are operational and not technical. The important detail here is that FIPS adds a lot of complexity that should be irrelevant to Envoy itself. |
(I don't want to put it on a public GitHub issue, but I can point you at the right person at a lab and give you our playbook for running all the required tests as smoothly as possible, if you're interested.) |
FWIW, Envoy tracks |
To give you all a status update we (Red Hat) have been working on this for some time and are at the point where we believe we have a version of envoy using OpenSSL ready for testing, we should be starting this internally next week. Once we are happy with this we are going to move the discussion to the upstream envoy community and work there to determine the best solution for supporting it, we suspect it will be through an agreed abstraction where the support for OpenSSL would be through a separate open source project and not necessarily supported directly by the upstream envoy community but obviously this will be a decision for the community. |
@knrc is there any progress update you can share? |
@knrc Could you also share some details on the approach you are using for adding OpenSSL support? Thanks |
@georgi-d You can take a look at the work Bill has been doing, he's tidying up a few final things but it is working and passing the tests. https://github.com/bdecoste/envoy/tree/openssl https://github.com/bdecoste/proxy/tree/openssl This work is a PoC to investigate the scope of the changes, we still need to discuss this with the community and @bdecoste will be driving that. |
I have built a FIPS compliant version of BoringSSL with a statically linked BoringCrypto. My goal is to build Istio with an Envoy proxy making use of that FIPS compliant version of BoringSSL. My next step is to build Envoy. I did a git clone https://github.com/envoyproxy/envoy.git, followed by a bazel build --package_path %workspace%:/usr/thorsten/ENVOY/MASTER/envoy/ //source/exe:envoy. That resulted in: WARNING: Output base '/home/thorsten/.cache/bazel/_bazel_thorsten/5f642dcc1f744c8d2d608658cf3d5214' is on NFS. This may lead to surprising failures and undetermined behavior. bazel version: Build label: 0.19.0- (@non-git) / bazel-0.19.0-2.el7.x86_64
Thanks, |
You're invoking Bazel in a bit weird way, you should be able to simply call But if the error persists, then perhaps, as the error suggests, the issue is with
BoringSSL is build and statically linked during Envoy's build process, so you'd need to modify build rules to select FIPS-tagged commit of BoringSSL and compile it with Unfortunately, this is a bit more complex than it should be, because Bazel rules in BoringSSL don't support FIPS. Perhaps we should migrate back to using CMake for the time being? cc @agl
You need to build custom Istio Proxy Docker image against your custom Envoy repository (see: https://github.com/istio/proxy/blob/master/istio.deps), then use it in your Istio clusters. |
Thank you @PiotrSikora for your quick response. I removed the cache and linked it to the local fs, as you suggested. Unfortunately the same problem persists (Good news - I no longer see the NFS issue): git clone https://github.com/istio/envoy Can you think of another reason for the above error? Note that many other targets build before this error. Based on the answer to my 2nd question, it sounds like you describe modifying the Envoy build process to point to a FIPS tagged version of BoringSSL and building BoringSSL as part of that process. This appears to be cumbersome due to the reasons you discuss above. Is there a way to avoid the actual building of BoringSSL and merely link in libraries from an already built FIPS compliant version of BoringSSL (I've built BoringSSL under ../boringssl/build)? Could this be a workaround to "Bazel rules in BoringSSL don't support FIPS." This may be a silly question, but is there a way to build Envoy using bazel, and having bazel build BoringSSL using cmake/make internally? My ultimate goal is to build Istio with Envoy using a FIPS compliant version of BoringSSL. Let me ask this: how would you go about achieving such goal? Thanks again for your help, |
@thorsten-avaya but you can now build Envoy with BoringSSL FIPS. |
BoringSSL does not support post-handshake authentication for TLSv1.3; last I knew. Although using PHA would require changes in how Envoy handles certificate authentication. |
Note TLS-level post-handshake authentication is incompatible with both HTTP/2 and QUIC. It's a weird HTTP/1.1-only hack. |
URL for building Envoy with BoringSSL FIPS has changed. |
@davidben Regardless, neither stack offers TLSv1.3 + FIPS, yet.
|
I'm trying to build envoy docker image for which I'm creating a binary first from source code, with Boring SSL FIPS. I'm following the approach given in https://github.com/envoyproxy/envoy/tree/master/ci Since boring SSL is built and linked during envoy built process, I'm passing the required flag --define boringssl=fips in the build options as below IMAGE_NAME=envoyproxy/envoy-build-ubuntu http_proxy=http://proxy.foo.com:8080 https_proxy=http://proxy.bar.com:8080 BAZEL_BUILD_OPTIONS='--define boringssl=fips' ./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.release.server_only' the binary got generated successfully at a defined location. as mentioned in the link the correctness of the FIPS build can be verified by checking the presence of BoringSSL-FIPS in the --version output. I have check the version, but it is still saying only Boring SSL(with out FIPS) as below: e95ef6b/1.10.0/Clean/RELEASE/BoringSSL Am I missing anything in making this FIPS compliant? please suggest. |
Try with
|
@PiotrSikora Yeah, Thank you. |
Looks like the base image which we are taking for compilation ERROR: /build/tmp/_bazel_bazel/436badd4919a15958fa3800a4e21074a/external/boringssl_fips/BUILD.bazel:27:1: Executing genrule @boringssl_fips tar: clang+llvm-6.0.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz: Cannot open: No such file or directory The build was successful when the option Is my assumption correct? please suggest. |
The above issue is solved by setting the proxies inside |
|
I get the following error when building with the latest SHA (without any local change) via
|
It turns out that there are some issues with my MacBook and my colleague is able to build FIPS envoy with the latest SHA on his MacBook. Sorry for the confusion. |
Right now, envoyproxy uses BoringSSL, and does not have a mechanism to substitute another TLS stack. Specifically, I am thinking of OpenSSL. Is there any interest in adding support to compile envoy with OpenSSL?
A follow-on question is whether dynamic linking of BoringSSL/OpenSSL would be supported.
The text was updated successfully, but these errors were encountered: