search

nodejs / help

:sparkles: Need help with Node.js? File an Issue here. :rocket:
1.44k stars 276 forks source link

Enabling FIPS mode breaks TLS server creation #4354

Closed panburana closed 3 months ago

panburana commented 3 months ago

Details

If you enable FIPS mode prior to attempting to create a TLS server, the following usage of SHA1 is blocked by OpenSSL causing the TLS server to fail to come up: https://github.com/nodejs/node/blob/v20.x/lib/_tls_wrap.js#L1472

The FIPS documentation for Node isn't clear for how it is supposed to behave with the tls module. Is FIPS mode only supported for the crypto module?

Node.js version

Node.js v20.11.1

Example code

Calling crypto.setFips(1) followed by tls.createServer(options, (socket)

results in the following stack trace:

Error: error:0308010C:digital envelope routines::unsupported at new Hash (node:internal/crypto/hash:68:19) at Object.createHash (node:crypto:138:10) at Server.setSecureContext (node:_tls_wrap:1472:14) at new Server (node:_tls_wrap:1350:8) at Object.createServer (node:_tls_wrap:1385:10)

Operating system

Linux

Scope

Runtime

Module and version

Not applicable.

panburana commented 3 months ago

Appears starting node with --enable-fips or via the OpenSSL cnf resolves this.