repeatedly
commented
4 years ago What changes are needed in fluentd core? Need to call some OpenSSL APIs"?
Open javsalgar opened 4 years ago
repeatedly
commented
4 years ago What changes are needed in fluentd core? Need to call some OpenSSL APIs"?
agup006
commented
4 years ago @javsalgar I'd love to better understand the use case for FIPS
OferPRTZ
commented
3 years ago Hi, any progress on this? couldn't find any other topics discussing this thread
nandu1508
commented
2 years ago @javsalgar Please share your findings on this
seanorama
commented
2 years ago @javsalgar I'd love to better understand the use case for FIPS
Most governments require FIPS-validation. It's an absolute requirement by the US government.
sfc-gh-stopchiy
commented
10 months ago +1
gauravphagrehpe
commented
9 months ago +1
cosmo0920
commented
9 months ago To support OpenSSL FIPS on Fluentd, users must install openssl library with FIPS support. This module sometimes isn't provided for non-commercial distribution such as Ubuntu. Ubuntu does not support FIPS on non-Pro clients: https://ubuntu.com/security/certifications/docs/fips
So, users ought to compile it with fips support by themselves if users don't use commercial distributions.
I found the some hints to enable FIPS mode:
If the FIPS enabled libraries are installed, users must enable FIPS module as follows:
config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
alg_section = algorithm_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
[algorithm_sect]
default_properties = fips=yesThe current status of FIPS support on ruby/openssl is here: https://github.com/ruby/openssl/issues/603
Any thoughts, @ashie @kenhys @daipom?
kenhys
commented
9 months ago According to https://github.com/ruby/openssl/issues/603 and https://github.com/ruby/openssl/releases/tag/v3.2.0, all of FIPS support effort is not fully merged in v3.2.0, so need to wait newer ruby/openssl release. (e.g. https://github.com/ruby/openssl/pull/694 was fixed after v3.2.0)
As it depends on user environment, so it seems that there is few space to deal in Fluentd side, isn't it?
If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. OpenSSL.fips_mode)
cosmo0920
commented
9 months ago If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g.
OpenSSL.fips_mode)
Yup. It's reasonable. We're only able to switch on/off or to detect whether FIPS is enabled or not.
Under this circumstance, we're able to provide switch on/off for FIPS module with a certain parameter and decline to launch Fluentd with OpenSSL.fips_mode.
ira-gordin-sap
commented
1 week ago Hi, any update on this enhancement?
Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.
Is your feature request related to a problem? Please describe.
I would like to confirm that it is possible to configure Fluentd to only use FIPS-validated cryptography. I saw that starting with 0.14.12 there is support for SSL when forwarding. Would using a FIPS-validated OpenSSL be enough or there are other encryption functions that need to be configured in order to be FIPS-compliant (https://docs.pulsesecure.net/WebHelp/PCS/9.1R4/AG/Content/PCS/PCS_AdminGuide/Supported_Cipher_Suites_When_2.htm)
Describe the solution you'd like
A confirmation on whether using a FIPS-validated OpenSSL is enough.
Describe alternatives you've considered
n/a