Open panburana opened 5 months ago
Maybe a simpler question: does setting FIPS mode in node affect the TLS library's behavior at all?
I'm noticing that if you call crypto.setFips(1) prior to tls.createServer() you get the following error:
Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:68:19) at Object.createHash (node:crypto:138:10) at Server.setSecureContext (node:_tls_wrap:1472:14) at new Server (node:_tls_wrap:1350:8) at Object.createServer (node:_tls_wrap:1385:10)
Details
Hi,
I want to verify that node running in FIPS mode will indeed restrict what TLS cipher suites are offered. Is there a way to do this?
I ran a trivial example server but it was able to come up and listen on 443 with only TLS_CHACHA20_POLY1305_SHA256 as the cipher set. I was expecting the server to not bind since chacha poly isn't FIPS approved.
Thanks,
Peter
Node.js version
v20.11.0
Example code
Here's an example TLS server I attempted to use (modified it to add crypto.setFips(true) prior to server start and set the only cipher to chacha): https://github.com/smallstep/certificates/blob/14fcf589032a87341c4a2bf58414b2091b42bb90/autocert/examples/hello-mtls/node/server.js
Operating system
Linux
Scope
runtime
Module and version
Not applicable.