Open ShivamSarawagi opened 1 month ago
richardlau
commented
1 month ago You do not need to rebuild Node.js for FIPS support, but you will need a correctly built/installed FIPS provider. See https://nodejs.org/docs/latest-v20.x/api/crypto.html#fips-mode for more details.
https://github.com/nodejs/node/issues/48776#issuecomment-1636315211 still stands, but if you actually need FIPS compliance you will need to follow https://github.com/openssl/openssl/blob/openssl-3.0/README-FIPS.md.
ShivamSarawagi
commented
1 month ago @richardlau As per this I tried installing openssl 3.0.0 from this download-and-build-a-validated-fips-provider But in Node documentation on crypto it is not clear on next steps as per the below section at https://nodejs.org/docs/latest-v20.x/api/crypto.html#fips-mode
For FIPS support in Node.js you will need:
- A correctly installed OpenSSL 3 FIPS provider.
- An OpenSSL 3 FIPS module configuration file.
- An OpenSSL 3 configuration file that references the FIPS module configuration file.
I have installed openssl and openssl-3.0.0/providers/fipsmodule.cnf is present on this path
Set the OPENSSL_CONF environment variable to point to your configuration file and OPENSSL_MODULES to the location of the FIPS provider dynamic library. e.g.
export OPENSSL_CONF=/<path to configuration file>/nodejs.cnf export OPENSSL_MODULES=/<path to openssl lib>/ossl-modules
Does nodejs.cnf needs to be manually created as per the sample code provided in documentation?
and I didn't find any reference to ossl-modules
So, I am not exactly sure with next step after openssl download and validate step
richardlau
commented
1 month ago Does
nodejs.cnfneeds to be manually created as per the sample code provided in documentation? and I didn't find any reference toossl-modules
Yes, you will need to create nodejs.cnf.
ossl-modules is created by
sudo make install_fips@richardlau ossl-modules is available now but /usr/local/lib/ossl-modules/fips.so is not getting generated for some reason.
This is what I have done overall - 1 -
$ wget https://www.openssl.org/source/openssl-3.0.0.tar.gz
$ tar -xf openssl-3.0.0.tar.gz
$ cd openssl-3.0.0
$ ./Configure enable-fips
$ make
$ cd ..2 -
sudo make install
3 -
openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
this is failing with
Can't open "/usr/local/lib/ossl-modules/fips.so" for reading, No such file or directory
4042300302000000:error:80000002:system library:BIO_new_file:No such file or directory:crypto/bio/bss_file.c:67:calling fopen(/usr/local/lib/ossl-modules/fips.so, rb)
4042300302000000:error:10000080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:75:
Failed to open module file
INSTALL FAILEDCan you check if your ossl-modules directory is in /usr/local/lib64 instead of /usr/local/lib?
Also according to https://www.openssl.org/source/ OpenSSL 3.0.8 and 3.0.9 are validated, so you might try one of those (although I expect 3.0.0 to work).
richardlau
commented
1 month ago For example, I get this output at the end of make install (with OpenSSL 3.0.0):
*** Installing FIPS module
install providers/fips.so -> /usr/local/lib64/ossl-modules/fips.so
*** Installing FIPS module configuration
install providers/fipsmodule.cnf -> /usr/local/ssl/fipsmodule.cnfI tried with 3.0.9 also and I am getting this output
/Library/Developer/CommandLineTools/usr/bin/make depend && /Library/Developer/CommandLineTools/usr/bin/make _build_sw
*** Installing FIPS module
install providers/fips.dylib -> /usr/local/lib/ossl-modules/fips.dylib
*** Installing FIPS module configuration
install providers/fipsmodule.cnf -> /usr/local/ssl/fipsmodule.cnfI think the difference is fips.dylib instead of fips.so
Any idea, how to fix this?
richardlau
commented
1 month ago Unfortunately not -- I only have experience on Linux and am not a macOS user. Maybe try replacing .so with .dylib in the commands?
You could try searching/posting OpenSSL's openssl-users mailing list.
Node.js Version
v20.13.1
NPM Version
v10.5.2
Operating System
Darwin Kernel Version 23.5.0
Subsystem
crypto
Description
I am trying upgrade Node.js from
v16.14.2to Node.jsv20.13.1as a part of FIPS compliance. But I am getting and error and process fails. Below I have shared the two ways I have tried and still getting the error.First I tried doing this via
nvmwhere I executed this commandnvm install -s v20.13.1 --openssl-is-fipsbut I am getting this errorAfter above step, I removed nvm and all the installed version of node. Then I tried to install the node 20.13.1 from installer and then downloaded the source code to execute
But I am the same error
Some of the links I am referring to for this https://chromium.googlesource.com/external/github.com/v8/node.git/+/46d4e47b7b04f62440aaf5adddd9cfbfacd25c06/BUILDING.md#fips-support-when-statically-linking-openssl
https://github.com/nodejs/node/issues/48776
Minimal Reproduction
No response
Output
No response
Before You Submit