Comments (6)
I see. Thank you for sharing your situation.
I noticed perhaps you might misunderstand how to use OpenSSL.fips_mode
.
Running OpenSSL.fips_mode=true
is just only to set the default property query fips=yes
documented at fips_module(7). It is equivalent calling the OpenSSL API: EVP_default_properties_enable_fips(NULL, 1)
. And it doesn't load fips provider. You need to set up the OpenSSL config file and/or maybe need to call Ruby OpenSSL methods in OpenSSL::Provider
to load the fips provider manually.
I tested OpenSSL::SSL::SSLContext.new
in FIPS on my local, and I confirmed it worked on my environment where OpenSSL loading fips and base providers.
- Ruby: the latest master branch: ruby 3.4.0dev (2024-01-09T09:47:15Z master 38bc107f0b) [x86_64-linux]
- Ruby OpenSSL (ruby/openssl): the current latest master branch commit 1fa9fc5
- OpenSSL: 3.0.12 (the latest version of the OpenSSL 3.0 series)
$ which ruby
~/.local/ruby-3.4.0dev-debug-38bc107f0b/bin/ruby
$ ruby -v
ruby 3.4.0dev (2024-01-09T09:47:15Z master 38bc107f0b) [x86_64-linux]
$ $HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/bin/openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
You can check the loaded providers by the following openssl command.
$ OPENSSL_CONF=$HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/ssl/openssl_fips.cnf \
$HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/bin/openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.12
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.12
status: active
Here is the testing script.
$ cat test.rb
require "openssl"
puts "Providers: #{OpenSSL::Provider.provider_names.join(", ")}"
puts "FIPS enabled: #{OpenSSL.fips_mode}"
p OpenSSL::SSL::SSLContext.new
The OpenSSL::SSL::SSLContext.new
works in non-FIPS case.
On the ruby/openssl project directory:
$ pwd
/home/jaruga/git/ruby/openssl
Run the script, loading the openssl library rather than the default openssl used as standard library in Ruby.
$ ruby -I ./lib test.rb
Providers: default
FIPS enabled: false
#<OpenSSL::SSL::SSLContext:0x00007fcf9d93d400 @verify_mode=0, @verify_hostname=false>
The OpenSSL::SSL::SSLContext.new
also works in FIPS case.
$ OPENSSL_CONF=$HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/ssl/openssl_fips.cnf \
ruby -I ./lib test.rb
Providers: fips, base
FIPS enabled: true
#<OpenSSL::SSL::SSLContext:0x00007f67bc9fd410 @verify_mode=0, @verify_hostname=false>
from openssl.
Why are you using with fips and "legacy" providers in the FIPS case? I think using fips and base providers is typical in the case.
According to the following document, I am not sure if the legacy provider works in the FIPS case.
https://www.openssl.org/docs/manmaster/man7/fips_module.html
Applications written to use the OpenSSL 3.0 FIPS module should not use any legacy APIs or features that avoid the FIPS module. Specifically this includes:
You can check the following links.
- https://github.com/ruby/openssl/blob/master/CONTRIBUTING.md#with-different-versions-of-openssl
- https://github.com/openssl/openssl/blob/master/README-FIPS.md
from openssl.
I would also recommend using the ruby/openssl latest version 3.2.0 by installing it by gem install openssl
, or using Ruby 3.3 bundling openssl gem 3.2.0 in the FIPS use case if it is no problem for you.
from openssl.
Hi @junaruga
I appreciate you for looking into this issue. We are using WinRM gem which internally uses rubyntlm gem. This gem still uses algorithms which are marked as legacy in OpenSSL v3. It was working fine when we were on OpenSSL 1.1.1t and started breaking when we upgraded it to version 3. I also had the suspicion that the use of legacy providers might mess up things and tried without it and I was still getting the same issue.
Also, I'm sorry for mentioning the incorrect version of ruby/openssl in the issue; I am using v3.2.0 and updated the issue description as well. We are using Ruby 3.1.0 and by default, it uses ruby/openssl 3.0.0. When started testing FIPS mode I got the error that it doesn't support FIPS mode and I upgraded it to 3.2.0.
I'll compile it from the source and try the approaches mentioned in the links you shared. Thanks a lot for looking into this.
from openssl.
Hi @junaruga,
I was following this documentation to set up the FIPS for OpenSSL. Updating the openssl.cnf was not mentioned on that page and I missed that part. And the issue happened because the fips provider was not enabled in the opnessl conf. After enabling that, this is working fine for me.
Thanks a lot for helping me out with this issue.
from openssl.
OK. I am glad you solved your issue. Let me close this ticket.
from openssl.
Related Issues (20)
- FIPS: DH: OpenSSL::PKey.generate_parameters returning a value with block of break. HOT 7
- macos-latest truffeeruby-head: test_basic_response_response_operations failing HOT 3
- truffleruby-head 24.0.0-dev: Failing to compile dependant stringio gem. HOT 14
- OpenSSL::PKey::EC.new(nil).generate_key fails with OpenSSL::PKey::PKeyError HOT 6
- OpenSSL 3.2.0 - sessions, time, signed vs unsigned, failure with negative session timeout values HOT 6
- Respect system wide minimum TLS version HOT 2
- windows-latest 3.3 case failing with "OpenSSL::Provider::ProviderError: Failed to load legacy provider: (null) (name=legacy)" HOT 8
- OpenSSL::PKey::PKey subclass for EVP_PKEY_RSA_PSS HOT 4
- Error "Failed to build gem native extension." when running "gem install openssl" in Fedora HOT 4
- OpenSSL udate 3.2.1 for CVE-2023-6129 HOT 3
- OpenSSL 3 | Providers | Support broader range of URI schemes for loading keys HOT 3
- OpenSSL 3 support for loading engine keys HOT 3
- OpenSSL version 3.3.0-dev: OpenSSL::ASN1::ASN1Error: utctime/generalizedtime is too short HOT 7
- OpenSSL::ASN1.decode doesn't correctly parse UTCTime or GeneralizedTime with fractional seconds or a timezone
- remove file check to support proxied SSL connection HOT 5
- When decrypted with a different private key, `OpenSSL::PKey::RSAError` does not occur HOT 2
- Upcoming OpenSSL Webinar: Writing Your First OpenSSL Application
- Invalid CSR versions set in regress tests HOT 2
- OpenSSL::SSL::SSLError: SSL_write: unsupported method HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openssl.