Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Node 4.2: Unable to run Node in non-FIPS mode if compiled with FIPS support #3819
As currently implemented, when Node is compiled with FIPS support (
What seems needed to me is a way to explicitly enable or disable FIPS operation each time node is invoked. The way this is done with the openssl CLI is via the OPENSSL_FIPS environment variable.
It is straightforward to add a similar capability to Node. A pull request with a suggested implementation is forthcoming.
referenced this issue
Nov 13, 2015
Certainly if npm can be made to run with FIPS mode active, that's a good thing. But in any case I agree with @mhdawson that some form of runtime switch is needed to make a FIPS validated Node practical.
I'm pushing my company pretty hard to move our entire tech stack to Node, and running FIPS validated is a key part of that.
Another complication is that the test cases will become much more complex:
(1) Turn on FIPS.
Not sure, whether this applies to 4.x as well, however, I had to fix v5.0.0 too because it never called FIPS_mode() (and if compiled with -DFIPS_NODE it calls fips_mode_set(1) again and again w/o need, which in turn causes annoying messages)! Anyway, see http://iws.cs.uni-magdeburg.de/~elkner/tmp/node5/ssl.patch and look for 'FIPS_mode()' (2 places) - the major problem.
BTW: I think the major issue here is, that it is assumed, that a FIPS capable lib is always used with FIPS_mode set to 1. This is wrong! Actually one doesn't need a non-FIPS capable OpenSSL lib at all, if the application provides a mechanism, to switch it on on demand (e.g. node --fips), because basically only than the non-FIPS compliant stuff gets switched off.