Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate OpenSSL FIPS configuration using openssl.cnf #28531

Closed
danbev opened this issue Jul 4, 2019 · 1 comment
Closed

Investigate OpenSSL FIPS configuration using openssl.cnf #28531

danbev opened this issue Jul 4, 2019 · 1 comment
Assignees
@danbev
Labels
crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency.

Comments

@danbev
Copy link
Contributor

danbev commented Jul 4, 2019

This issue was discovered by dynamically linking to Red Hat's OpenSSL 1.1.1c (which has not yet been released). This might not be an issue for other platforms but we should still look into and verify that configuring FIPS is supported by adding this configuration option in openssl.cnf as discussed in #28507.

This issue is related to configuring OpenSSL FIPS support by using the OpenSSL configuration file:

$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"

It should be possible to enable FIPS by setting fips_mode to true/yes in /etc/pki/tls/openssl.cnf:

openssl_conf = default_modules


[ default_modules ]
alg_section = evp_settings

[ evp_settings ]
fips_mode = true

Starting node with the above configuration:

$ OPENSSL_CONF=/etc/pki/tls/openssl.cnf ./node -p "require('crypto').getFips()"
openssl config failed: error:060B10A7:digital envelope routines:alg_module_init:fips mode not supported
0

Note that it is possible to enable fips using --enable-fips:

./node --enable-fips -p "require('crypto').getFips()"
1

Since OpenSSL in this case if modified to provide FIPS support and has not be released yet, I can't rule out that there is a bug/missing patch which is causing this.

I'm heading off on PTO tomorrow but I'll follow up on this when I get back in August.
@danbev danbev self-assigned this Jul 4, 2019
@danbev danbev mentioned this issue Jul 4, 2019
Closed
2 tasks
@bnoordhuis bnoordhuis added crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency. labels Jul 4, 2019
@danbev
Copy link
Contributor Author

danbev commented Jul 5, 2019

Looking into this a little closer it turns out that RHEL8/UBI8 (Universal Base Image) has the concept of a system wide security policy which can be enabled:

$ update-crypto-policies --set FIPS

This will enable fips much like setting fips_mode in openssl.cnf. Enabling fips this way and then running getFips() will return 1 without having to specify specifying the --enable-fips option.

My understanding is that setting fips_mode in openssl.cnf is not supported on RHEL8/UBI8 and hence this issue is not really valid, at least not with the current information in the description. I'm going to close this for now and we can create a new task when there are other FIPS compatible OpenSSL libraries available for testing.

@danbev danbev closed this as completed Jul 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danbev danbev

Labels
crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bnoordhuis @danbev