Description
I'll start out by apologizing that I did not have time to review/comment on this while the initial doc was being written in #1890 but I think we have a few issues:
- From my read of the openssl security policy (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf)
My read is that in Appendix A, page 27 it states that unless you build in a specific way the following applies as written on page 28:
Note that failure to use one of the specified commands sets exactly as shown will result in a module that cannot be considered compliant with FIPS 140-2.
Our current instructions here: https://github.com/nodejs/io.js describes building with a prefix which would not match the above instructions. The user guide here https://openssl.org/docs/fips/UserGuide-2.0.pdf specifically calls out that you cannot use a prefix (See section 5.7.1 on page 63)
I think we might be able to update the instructions to indicate to build as outlined in the security policy/user guide and then update the configure line (what is shown is where the make installed on ubuntu 12, we probably need something more generic or to just say to point it to where make install did the installation)
./configure --openssl-fips=/usr/local/ssl/fips-2.0
I have a compile going to see if things build/run ok with that.
-
There is a requirement to get the source through a "trusted" path. See page 87 in https://openssl.org/docs/fips/UserGuide-2.0.pdf. What we currently describe in our readme is likely not sufficient to ensure that people understand that they have to verify with an already validated tool or get the source through a trusted path like email.
-
There might be other gotchas in the security polity/user guide but I've not had time to do a full read yet. One I'm wondering about is 5.1 on page as I'm not sure if absolutely all of the crypto in Node comes from openssl or not.
If there is consensus that we need to adjust the doc I can put together a pull request