Feature request: OpenSSL FIPS compliance

[JeffLuoo]

Is your feature request related to a problem? Please describe.

The current openssl doesn't have the FIPS enabled https://github.com/fluent/fluent-bit/blob/master/dockerfiles/Dockerfile.x86_64-master#L67-L68. I wonder that is there any plan to support the FIPS in the build? This is required by some users.

Describe the solution you'd like

Describe alternatives you've considered

Additional context

[JeffLuoo]

Related: https://github.com/fluent/fluent-bit/issues/3879

[patrick-stephens]

What do we need to do to enable it? Quite happy to get it in if it's easy - it'll need to be for all platforms as well not just AMD64. The related #3879 seemed to indicate a PR might be coming but I cannot see one. Do you have one?

[JeffLuoo]

I am not the expert of openssl but from my current knowledge, one of the way to enable it is to support openssl 3.0 as the openssl 3.0 is integrated with FIPS module and no additional FIPS modules are required. See more details of openssl 3.0 https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final/#:~:text=OpenSSL%203.0%20is%20a%20major,warnings%20about%20using%20deprecated%20APIs).

Fluent-bit currently uses the default version of openssl installed by https://github.com/fluent/fluent-bit/blob/master/dockerfiles/Dockerfile.x86_64-master#L16. And the default version is .1.1k-1+deb11u1 (reference https://packages.debian.org/search?suite=default&section=all&arch=any&searchon=names&keywords=libssl-dev). One way to upgrade is build from source by downloading the openssl 3.0. I haven't tested the openssl 3.0 with current fluent-bit dependence on the openssl lib.

Hi @ericmillin, Is there any update on the issue?

[patrick-stephens]

Ah ok, I think @agup006 covered it succinctly here: https://github.com/fluent/fluent-bit/issues/3879#issuecomment-888771304 Whilst we would love to do it, it's a low priority for the OSS team. I saw that link whilst investigating and it's non-trivial to do.

One significant issue I can see with building from source is does that transfer the FIPS compliance or do you need to re-certify your newly built binaries (maybe you used a compiler/flag/etc. that means it is no longer secure, etc.)?

Ideally we do not want to take on the overhead of maintaining an OpenSSL build (and then certifying it) but instead use certified libraries directly - and I think this would be the preference for any organisations requiring FIPS compliance. Other projects have similar issues, see https://github.com/nodejs/help/issues/2666.

If an organisation requiring FIPS compliance can submit a PR that would be ace though, feel free to ping me if you do so I can get someone to look at it if necessary.

A possible alternative is using the UBI 8 image I recently put together for Openshift here: https://github.com/calyptia/fluent-bit/tree/master/calyptia/ubi8 UBI 8 apparently has FIPS support: https://github.com/nodejs/build/issues/2176 It may be some simple tweaks to that Dockerfile gives us a FIPS compatible image and we can push it to DockerHub as well. Although note that just making the container FIPs capable doesn't mean your whole stack is so ensure you configure your container runtime and host OS appropriately.

Another good set of tips although needs certain base images: https://ubuntu.com/blog/building-and-running-fips-containers-on-ubuntu

[JeffLuoo]

Thanks for your work and detailed response Pat! Using certified libraries with FIPS support directly is definitely a good way considering the effort of maintenance and security. I will take a look at the UBI image you pointed to, thanks again for your help!

[elibogomolnyi]

Did anybody succeed to build in image with the FIPS-compliant OpenSSL? We need to FIPS compliance for our solution and we wonder if there are already any intermediate results.

[patrick-stephens]

Fluent Bit builds with OpenSSL 3 fine, it's the default on Ubuntu 22 I believe. There's also an issue open to upgrade to it for other packages. So you should be able to do it fine.

FIPS compliance though is not just about using OpenSSL 3, see my earlier message. Fluent Bit as it stands can be FIPS compliant but it depends on your configuration. Certifying it is then a job for that commercial entity per there auditing requirements.

It's also very much a commercial need so if a company is willing to sponsor that endeavour then it would help. Specifically https://github.com/fluent/fluent-bit/issues/7644

[CherryJia]

@patrick-stephens we are running fluent/fluent-bit 2.2.2 version on openshift right now with TLS enabled between the output target Kafka, how we can check if our configuration can be FIPS compliant?

Here is our config for the output communication

  ## https://docs.fluentbit.io/manual/pipeline/outputs
  outputs: |
    [OUTPUT]
        Name        kafka
        Match       valid_*_logs
        Brokers     <put_your_kafka_broker>
        Topics      <put_your_topic>
        rdkafka.debug All
        rdkafka.request.required.acks 1
        rdkafka.client.id <put_your_client_id>
        rdkafka.ssl.key.password <ssl_key_password>
        rdkafka.enable.ssl.certificate.verification true
        rdkafka.ssl.certificate.location /certs/cert.pem
        rdkafka.ssl.key.location /certs/cert.key
        rdkafka.security.protocol ssl
        rdkafka.log_level 7`

[patrick-stephens]

You have to do whatever Openshift tells you to do to be FIPS compliant is the short answer. Typically there is some host level stuff along with potentially image library updates or configuration required.