Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS and shared openssl #3077

Closed
Nibbler999 opened this issue Sep 26, 2015 · 9 comments
Closed

FIPS and shared openssl #3077

Nibbler999 opened this issue Sep 26, 2015 · 9 comments
Labels
build Issues and PRs related to build files or the CI. openssl Issues and PRs related to the OpenSSL dependency.

Comments

@Nibbler999
Copy link
Contributor

If you build against the system openssl in Fedora 23 (1.0.2d-fips) node tries to enable FIPS. This causes around 100 test failures/crashes. It would be better if it only enabled FIPS if you explicitly use --openssl-fips
@mscdex mscdex added openssl Issues and PRs related to the OpenSSL dependency. build Issues and PRs related to build files or the CI. labels Sep 26, 2015
@develop7
Copy link

develop7 commented Oct 1, 2015

+1 here — we openSUSE Tumbleweed users ran into this issue as well, see https://bugzilla.opensuse.org/show_bug.cgi?id=947747

@develop7
Copy link

develop7 commented Oct 1, 2015

@Nibbler999 there's hack that works this around should you need it — https://build.opensuse.org/package/view_file/home:msmeissn:branches:devel:languages:nodejs/nodejs/nodejs-no-fips.patch?rev=2

@develop7
Copy link

develop7 commented Oct 1, 2015

/cc @indutny :)

indutny added a commit to indutny/io.js that referenced this issue Oct 1, 2015
@indutny
crypto: enable FIPS only when configured with it
69510a7 
Do not rely on `OPENSSL_FIPS` in `node_crypto.cc` when building with
shared FIPS-enabled OpenSSL library. Enable FIPS in core only when
configured with `--openssl-fips`.

Fix: nodejs#3077
@indutny indutny mentioned this issue Oct 1, 2015
Closed
@indutny
Copy link
Member

indutny commented Oct 1, 2015

Should be fixed by #3153. Thanks!

@indutny indutny closed this as completed in 9bd26e7 Oct 1, 2015
@indutny
Copy link
Member

indutny commented Oct 1, 2015

Fixed in 9bd26e7

@Nibbler999
Copy link
Contributor Author

Fix confirmed, thanks!

indutny added a commit that referenced this issue Oct 2, 2015
@indutny @rvagg
crypto: enable FIPS only when configured with it
f055a66 
Do not rely on `OPENSSL_FIPS` in `node_crypto.cc` when building with
shared FIPS-enabled OpenSSL library. Enable FIPS in core only when
configured with `--openssl-fips`.

Fix: #3077
PR-URL: #3153
Reviewed-By: Ben Noordhuis <[email protected]>
@Nibbler999 Nibbler999 mentioned this issue Nov 12, 2015
Closed
@kasicka
Copy link

kasicka commented Aug 23, 2017

So, is there a way to have FIPS and shared openssl?

@bnoordhuis
Copy link
Member

@kasicka Does node --enable-fips or node --force-fips work?

@kasicka
Copy link

kasicka commented Aug 31, 2017

Built on system without fips enabled:

[root@localhost asdf]# cat /proc/sys/crypto/fips_enabled
1
[root@localhost asdf]# node --enable-fips
node: bad option: --enable-fips
[root@localhost asdf]# node --force-fips
node: bad option: --force-fips

Built on system with enabled fips has the same results, multiple tests failed.
Also:

[root@localhost asdf]# node -p "process.versions.openssl"
1.0.2k-fips

I did not build it with --openssl-fips, because the fips functionality should be provided by openssl and I wasn't sure what to supply to the option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build Issues and PRs related to build files or the CI. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mscdex @develop7 @indutny @bnoordhuis @Nibbler999 @kasicka