FIPS build instructions #2242
Comments
mscdex
added
openssl
|
/cc @nodejs/crypto and in particular @indutny |
|
Sounds great! Thanks for bringing it up @mhdawson |
mhdawson
added a commit
that referenced
this issue
Aug 19, 2015
Update the instructions to follow the requirements in the security policy and user guide PR-URL: #2278 Fixes: #2242 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Rod Vagg <[email protected]>
|
Resolved by d98eed5 |
Fishrock123
pushed a commit
to Fishrock123/node
that referenced
this issue
Aug 19, 2015
Update the instructions to follow the requirements in the security policy and user guide PR-URL: nodejs#2278 Fixes: nodejs#2242 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Rod Vagg <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'll start out by apologizing that I did not have time to review/comment on this while the initial doc was being written in #1890 but I think we have a few issues:
My read is that in Appendix A, page 27 it states that unless you build in a specific way the following applies as written on page 28:
Our current instructions here: https://github.com/nodejs/io.js describes building with a prefix which would not match the above instructions. The user guide here https://openssl.org/docs/fips/UserGuide-2.0.pdf specifically calls out that you cannot use a prefix (See section 5.7.1 on page 63)
I think we might be able to update the instructions to indicate to build as outlined in the security policy/user guide and then update the configure line (what is shown is where the make installed on ubuntu 12, we probably need something more generic or to just say to point it to where make install did the installation)
I have a compile going to see if things build/run ok with that.
There is a requirement to get the source through a "trusted" path. See page 87 in https://openssl.org/docs/fips/UserGuide-2.0.pdf. What we currently describe in our readme is likely not sufficient to ensure that people understand that they have to verify with an already validated tool or get the source through a trusted path like email.
There might be other gotchas in the security polity/user guide but I've not had time to do a full read yet. One I'm wondering about is 5.1 on page as I'm not sure if absolutely all of the crypto in Node comes from openssl or not.
If there is consensus that we need to adjust the doc I can put together a pull request
The text was updated successfully, but these errors were encountered: