Enabling FIPS-compliant encryption #25463
Comments
|
I have had a few internal teams within IBM ask for this as well. @nzakas have you looked into the details whether simply enabling the FIPs mode in OpenSSL would be enough for consumers to use Node when FIPS compliance is required ? If you have researched/thought about this I'd be interested in setting up a time for a conversation. |
|
Are you talking about calling |
|
No, I meant does simply having Node use a version of OpenSSL compiled in FIPs mode enough for users that have a FIPs requirement as there is Node specific code in the path between the request and the crypto operations that take place. |
|
The other issue might also be if there are any patches in Node which are floated on top of OpenSSL and what that would to do the FIPs cert |
|
Hello! I have did it in bud: It should be pretty straightforward to integrate it in node.js/io.js . The way it works in bud is following:
There is only minor nit that will be required for this in node.js, that is not required in bud. It is patched version of |
|
TL;DR: going to port this code right now, expect a PR today or tomorrow. |
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
|
@mhdawson I believe so, I'll get clarification from our security folks. From my discussions with them thus far, it seems to be enough of we can prove Node.js crypto is running against the FIPS-enabled OpenSSL. |
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `git apply /path/to/io.js/deps/openssl/fips/fipsld.diff` 5. `make -j && make install` 6. Get into io.js checkout folder 7. `./configure --openssl-fips=/path/to/openssl-fips/out` 8. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
|
Yay, a PR for io.js: nodejs/node#1890 . I guess it can be easily backported to node.js. |
|
Just confirmed with our security folks that we must call |
|
Going off of the OpenSSL Fips User Guide, it should call Additionally as described above fipsld is required to properly do the linking and for the integrity tests. Also I want to point out one important fact listed in page 42 and 45 of the user guide. Basically NIST standards maintain that the source must be obtained via a "secure installation". You cannot just download the source and validate it using a preinstalled FIPS validated openssl. Their recommendation is to contact OSF and ask for a CD with the source. Page 88 has alternative suggestions on how to validate it but even then no luck using an old OpenSSL version. |
|
@indutny 👍 @nzakas ... the key question for whether this can be enabled in v0.10 is whether it changes any of the default APIs or behaviors (which I wouldn't expect). The fact that it's put behind a @nzakas .. interesting in helping out with a pull request based on @indutny's work? :-) |
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. `cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out` 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` Fix: nodejs/node-v0.x-archive#25463
|
@nc-box I think what we'd want is a documented set of steps that would result in a configuration that would meet FIPs requirements. 1) Get CD from X, etc. |
|
@jasnell interested, yes, but I'm away from my computer for a few weeks (on a tablet right now). If someone else wants to take it, I'd be grateful; if not, I'll follow up when I'm back on a computer. |
|
@mhdawson At this time, I would suggest referring to the OpenSSL FIPS User Guide (https://openssl.org/docs/fips/UserGuide-2.0.pdf) for details around building a version of OpenSSL that meets the FIPS requirements. The User Guide provides more information and considerations when trying to build and use the FIPS compliant version of OpenSSL. |
Support building and running with FIPS-compliant OpenSSL. The process is following: 1. Download and verify `openssl-fips-x.x.x.tar.gz` from https://www.openssl.org/source/ 2. Extract source to `openssl-fips` folder 3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out`` (NOTE: On OS X, you may want to run ``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to build x64-mode io.js) 4. `make -j && make install` 5. Get into io.js checkout folder 6. `./configure --openssl-fips=/path/to/openssl-fips/out` 7. Build io.js with `make -j` 8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`) Fix: nodejs/node-v0.x-archive#25463 PR-URL: #1890 Reviewed-By: Rod Vagg <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
|
so i was the author of PR #6380, anyway, this is how we build FIPS compliant nodejs http://arthur-notes.youramaryllis.com/2014/12/nodejs-fips.html. and one "side" effect after enabling FIPS is calling anything function using md5 will crash. node would just crash as FIPS implementation will exit the application. btw, it's nice we finally have some discussion of getting FIPS compliance to nodejs. thanks. |
|
@arthurtsang nice one! I think we already landed it in io.js, see the commit above ;) |
|
What is the status of this item? As others have noted, we'd need a Node API call to invoke the FIPS_set_mode(1) library call. I'm also curious about the question @mhdawson asked re: patches on top of OpenSSL (I apologize, but I'm not a Node.js guy, and I'm going based off of https://github.com/joyent/node/wiki/OpenSSL-upgrade-process). |
|
It's waiting for someone to port @indutny 's io.js patch to Node. |
|
@nzakas why should it be ported? Technically it is the same project now, we're just merging everything together atm. |
|
Ok, so the question then becomes: is there reason to enable FIPS in v0.12. Technically that would qualify as a new feature. The informal policy so far has been to defer new features to the converged repo. Perhaps for v0.12, the best thing to do would be to document how someone could build v0.12 on their own with FIPS enabled but defer actually merging that into core until we're working from the converged repo (or, perhaps, getting it landed in the io.js stream). |
|
@jasnell I believe it was already landed in io.js master some time ago. |
|
At work we are still using 0.10.x, upgrading breaks a lot of the world for us, so was looking for an intermediate solution. |
|
What is the status of this issue in the NodeJS 4.0 release? We are looking to use NodeJS on a project but it requires FIPS compliance. |
|
It is already in 4.0 |
|
sweet! thanks! |
|
I'm using node-v5.0.0, after enabling fips support, as @arthurtsang said before any usage of md5 will crash, even the npm is broken..
|
|
@arash16 What do you mean, "enabling FIPS support?" MD5 is not a FIPS-approved digest algorithm, so if you put OpenSSL into FIPS mode, MD5 is not going to be available to you. In FIPS mode you need to use SHA. |
|
I thinking at this point this issue can be closed. Support is enabled in 4.x and later, and with the 0.10 and 0.12 end of life within 6 months I don't think it will be backported. Please let me know if you disagree. |
and others
For many in enterprises, regulations require the use of FIPS-compliant encryption tools. OpenSSL itself is not FIPS compliant, but does have a module that is (http://www.openssl.org/docs/fips/fipsnotes.html). It's possible to hack this into a custom build of Node.js (http://arthur-notes.youramaryllis.com/2014/12/nodejs-fips.html), but it would be nice to have it supported by Node directly (preferably starting with 0.10.x).
Someone had submitted a PR a while back for this: #6380
Is this something that would be considered?
The text was updated successfully, but these errors were encountered: