Open D4V3M0NK opened 3 years ago
krayon007
commented
3 years ago OK, I see what's going on... I was referring to compiling static libraries for OpenSSL... You are wanting to dynamically link openssl using whatever OpenSSL library is installed on the platform? I will add a compile switch to the makefile to support that when compiling the agent...
D4V3M0NK
commented
3 years ago You sir, are a gent and a scholar ... :beer: That's exactly what I'm after...
krayon007
commented
3 years ago Ok, I just pushed a new makefile...
If you add the switch DYNAMICTLS=1 it will link the shared library installed on your platform instead of the static libraries. So for example:
make linux ARCHID=6 DYNAMICTLS=1
You have to install the dev libraries first, so in my case, I did: apt-get install libssl-dev and tested against that. This installed a 1.1.1 branch, so if you have problems with the 1.0.2 branch let me know.
D4V3M0NK
commented
3 years ago I really appreciate this Bryan - I'll let you know how I get on
D4V3M0NK
commented
3 years ago Ok @krayon007 , so here's the first stab at this. Initially, wanted to check that I had the libssl-dev package installed, which looks good (as well as the version):
$ dpkg-query -l | grep libssl-dev
ii libssl-dev:amd64 1.0.2g-1ubuntu4.fips.4.17.1 amd64 Secure Sockets Layer toolkit - development filesSo used make linux ARCHID=6 DYNMAICTLS=1 resulted in a number of undefined references.
Apologies Bryan, my ineptitude at not being a C programmer is going to show profoundly so I'm not going to be much help here, other than responding back with results ... In the hope that this is somewhat useful, my setup:
krayon007
commented
3 years ago Over the weekend I'll see if I can install the fips version and see if I can figure this out.
Ylianst
commented
3 years ago Maybe this is know already, the OpenSSL FIPS module is out of support. The MeshAgent uses OpenSSL 1.1.1 and so, not sure if it will compile using OpenSSL 1.0.2 without making some changes to the code. Even if it does, OpenSSL 1.0.2 itself is out of support and so, not recommend for use. For example, this vulnerability is not fixed in 1.0.2. It seems like a FIPS module will be available with OpenSSL 3.0, so that is good news for the future. Let us know if this is already known and accounted for.
D4V3M0NK
commented
3 years ago @krayon007 - Ubuntu has FIPS compliant modules which are available though an Ubuntu Advantage subscription (Canonical went through FIPS compliancy for 16, 18 and 20 is underway). I can make either an OVF / VMDK or AWS instance available to you if required if it helps?
@Ylianst I totally understand - unfortunately, v1.0.2 is the only version that supports FIPS when building Node, which is why I'm constrained to using it (believe me, I'd rather not!) The CVEs attached to it are an assigned risk for this particular customer. I'm keen to see when v3.0 is available but I've been working on this particular project for over a year now and I'm not going to hold out much hope for that version to be with us any time soon. Canonical's OpenSSL module is supported, although there's not too much you can do with it - you're not permitted to change the source or build code.
krayon007
commented
3 years ago Ok, thanks! A vmdk would certainly speed things up on my side as I could skip finding/building fips, and just go straight to looking at the makefile and/or building the agent.
krayon007
commented
3 years ago Ok, I think a vmdk would would make it simpler, as it looks like if I compile my own FIPS openssl, it does not generate a shared library, it generates a fips canister (.o file), which is probably different than what you are using?
D4V3M0NK
commented
3 years ago I've been playing with getting you something usable most of the day - I'm hoping that my last iteration works - more when I have it
D4V3M0NK
commented
3 years ago Having more issues with this @krayon007 ... everything seems to work just fine until I import it into VMware Workstation, the guest OS boots up in read only mode. So, running through the motions (again): will reach out when I have a working version that I can make available to you.
D4V3M0NK
commented
3 years ago @krayon007 as per my email, use the "mc2" user.
krayon007
commented
3 years ago @krayon007 as per my email, use the "mc2" user.
Thanks! I successfully downloaded your ova file. This should really help with trying to get the Agent compiled for FIPS.
D4V3M0NK
commented
3 years ago @krayon007 I also wondered if it would be worthwhile making an OVA that had NodeJS installed upon it (and therefore running with the FIPS OpenSSL libraries), with the scripts that shows how I did that? Help or hindrance?
krayon007
commented
3 years ago @krayon007 I also wondered if it would be worthwhile making an OVA that had NodeJS installed upon it (and therefore running with the FIPS OpenSSL libraries), with the scripts that shows how I did that? Help or hindrance?
That could be useful , particularly for server side issues we may encounter. I'm out of town at the moment, so I may not be able to download it until Wednesday or so.
krayon007
commented
3 years ago @krayon007 I also wondered if it would be worthwhile making an OVA that had NodeJS installed upon it (and therefore running with the FIPS OpenSSL libraries), with the scripts that shows how I did that? Help or hindrance?
Thanks, I got the new ova file downloaded. I'll take a look at it over the holidays.
D4V3M0NK
commented
3 years ago Just checking in @krayon007 - anything I can assist with?
krayon007
commented
3 years ago Just checking in @krayon007 - anything I can assist with?
Sorry, I haven't gotten around to it yet, I had a few high priority interrupts...
krayon007
commented
3 years ago Just checking in @krayon007 - anything I can assist with?
OK, I fixed it.. I was compiling against the wrong includes when dynamically linking, I fixed it so when dynamically linking it will use /usr/include/openssl
But anyways, I simplified the makefile, so you can just do the following to build and dynamically link with FIPS support:
make linux ARCHID=6 FIPS=1
The only issue, is that openssl/1.02g-fips does not support TLSv1.2 or TLSv1.3, which is required to connect to the mesh server by default... But you can always modify the server if need be... Here's the output when I ran the agent on the ova you gave me, you can see it reports fips support. I made it so when you compile with the FIPS=1 , it will attempt to enter fips mode when the agent starts. If it fails, it will critical exit.
D4V3M0NK
commented
3 years ago Once again, the MC2 team comes through in spades. @krayon007 I can't thank you enough - it's going to be a couple of days before I can try this out and I will certainly let you know how I get on. However, one thought: you state that you're using /usr/include/openssl - and I'm sure that works perfectly in Ubuntu, but for the sake of potentially other OSs, would it make sense to use something like which openssl and then take the response from that? (Apologies, I'm not sure how you would actually do this in code, but I'm just conscious that the location of openssl could change, potentially between versions of an OS as well as the OS itself). Just a thought sir.
krayon007
commented
3 years ago Since it's a makefile I think the easiest way is if I add an optional build switch, so that you can specify an alternate path as a command line parameter when you run make.
D4V3M0NK
commented
3 years ago I've been snowed for the last few weeks, but finally getting round to testing this today... will let you know how I get on
1.02g-fips does not support TLSv1.2 or TLSv1.3, which is required to connect to the mesh server by default... But you can always modify the server if need be
THAT may be a (bloody) showstopper, I didn't realize that ... bear with me, working on how to address that particular gotcha... In the interests of ploughing forward though, you make reference to the fact that the server could be reconfigured to permit TLS1.0? Is there any documentation on that front?
@krayon007 Sorry Bryan, I think this one is firmly in your court sir!
So, further to #2079 I think I'm building the agent incorrectly. When I check the
-infoon the agent, it states it's using OpenSSL 1.1.1g whereas it should be using the hosts1.0.2g-fips.When I'm building Node8 with FIPS, I do install the FIPS libssl dev package
sudo apt install -y build-essential libssl-dev=1.0.2g-1ubuntu4.fips.4.6.3 clang.Note: I have updated the server version to 0.7.25 and I'm pretty sure when I do that, new agents are downloaded and placed into the /agents folder - so that would explain the
OpenSSL 1.1.1iversion at the end. However as you can see when I run the-infoin my MeshAgent build folder I get version1.1.1gand not the expected1.0.2g-fipsthat my host OpenSSL is using.Here's the script that I use to build
BuildScript
``` #!/usr/bin/env bash mc2Folder=/home/mc/meshcentral cd ~ wget https://www.nasm.us/pub/nasm/releasebuilds/2.14.02/nasm-2.14.02.tar.gz -O nasm-2.14.02.tar.gz tar -xvzf nasm-2.14.02.tar.gz cd nasm-2.14.02 ./configure make -j8 sudo make install cd ~ wget https://sourceforge.net/projects/libjpeg-turbo/files/1.4.2/libjpeg-turbo-1.4.2.tar.gz/download -O libjpeg-turbo-1.4.2.tar.gz tar -xvzf libjpeg-turbo-1.4.2.tar.gz cd libjpeg-turbo-1.4.2 ./configure make -j8 sudo apt-get install -y libx11-dev libxtst-dev libxext-dev libjpeg62-dev cd ~ git clone https://github.com/Ylianst/MeshAgent.git cd MeshAgent make linux ARCHID=6 sudo cp meshagent_x86-64 ${mc2Folder}/node_modules/meshcentral/agents/ ```To answer questions posed on #2079:
When you state
"how [you] configure OpenSSL when compiling", are you referring to when you're compiling the MeshAgent? (if not and you're referring to compiling OpenSSL, I'm using pre-compiled Canonical FIPS compliant libraries, therefore I'm not permitted to recompile). Or maybe I've got the wrong end of the stick and should be running your "./Configure..." line before themake linux ARCHID=6line?