search

nodejs / help

:sparkles: Need help with Node.js? File an Issue here. :rocket:
1.44k stars 276 forks source link

Verifying TLS Cipher Suites in FIPS Mode #4335

Open panburana opened 5 months ago

panburana commented 5 months ago

Details

Hi,

I want to verify that node running in FIPS mode will indeed restrict what TLS cipher suites are offered. Is there a way to do this?

I ran a trivial example server but it was able to come up and listen on 443 with only TLS_CHACHA20_POLY1305_SHA256 as the cipher set. I was expecting the server to not bind since chacha poly isn't FIPS approved.

Thanks,

Peter

Node.js version

v20.11.0

Example code

Here's an example TLS server I attempted to use (modified it to add crypto.setFips(true) prior to server start and set the only cipher to chacha): https://github.com/smallstep/certificates/blob/14fcf589032a87341c4a2bf58414b2091b42bb90/autocert/examples/hello-mtls/node/server.js

Operating system

Linux

Scope

runtime

Module and version

Not applicable.

panburana commented 3 months ago

Maybe a simpler question: does setting FIPS mode in node affect the TLS library's behavior at all?

I'm noticing that if you call crypto.setFips(1) prior to tls.createServer() you get the following error: Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:68:19) at Object.createHash (node:crypto:138:10) at Server.setSecureContext (node:_tls_wrap:1472:14) at new Server (node:_tls_wrap:1350:8) at Object.createServer (node:_tls_wrap:1385:10)