FIPS support in Fluentd

[javsalgar]

Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.

Is your feature request related to a problem? Please describe.

I would like to confirm that it is possible to configure Fluentd to only use FIPS-validated cryptography. I saw that starting with 0.14.12 there is support for SSL when forwarding. Would using a FIPS-validated OpenSSL be enough or there are other encryption functions that need to be configured in order to be FIPS-compliant (https://docs.pulsesecure.net/WebHelp/PCS/9.1R4/AG/Content/PCS/PCS_AdminGuide/Supported_Cipher_Suites_When_2.htm)

Describe the solution you'd like

A confirmation on whether using a FIPS-validated OpenSSL is enough.

Describe alternatives you've considered

n/a

[repeatedly]

What changes are needed in fluentd core?
Need to call some OpenSSL APIs"?

[agup006]

@javsalgar I'd love to better understand the use case for FIPS

[OferPRTZ]

Hi, any progress on this? couldn't find any other topics discussing this thread

[nandu1508]

@javsalgar Please share your findings on this

[seanorama]

@javsalgar I'd love to better understand the use case for FIPS

Most governments require FIPS-validation. It's an absolute requirement by the US government.

[sfc-gh-stopchiy]

+1

[gauravphagrehpe]

+1

[cosmo0920]

To support OpenSSL FIPS on Fluentd, users must install openssl library with FIPS support. This module sometimes isn't provided for non-commercial distribution such as Ubuntu.
Ubuntu does not support FIPS on non-Pro clients:
https://ubuntu.com/security/certifications/docs/fips

So, users ought to compile it with fips support by themselves if users don't use commercial distributions.

I found the some hints to enable FIPS mode:

• https://hackmd.io/@jaruga/ryDnksRm2
• https://www.openssl.org/docs/manmaster/man7/fips_module.html

If the FIPS enabled libraries are installed, users must enable FIPS module as follows:

config_diagnostics = 1
openssl_conf = openssl_init

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes

The current status of FIPS support on ruby/openssl is here:
ruby/openssl#603

Any thoughts, @ashie @kenhys @daipom?

[kenhys]

According to ruby/openssl#603 and https://github.com/ruby/openssl/releases/tag/v3.2.0, all of FIPS support effort is not fully merged in v3.2.0, so need to wait newer ruby/openssl release. (e.g. ruby/openssl#694 was fixed after v3.2.0)

As it depends on user environment, so it seems that there is few space to deal in Fluentd side, isn't it?

If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)

[cosmo0920]

If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)

Yup. It's reasonable. We're only able to switch on/off or to detect whether FIPS is enabled or not.
Under this circumstance, we're able to provide switch on/off for FIPS module with a certain parameter and decline to launch Fluentd with OpenSSL.fips_mode.

[ira-gordin-sap]

Hi, any update on this enhancement?