Description
- v13.0.0-pre:
- Linux e8907ec245de 4.9.125-linuxkit deps: update openssl to 1.0.1j #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux:
- crypto:
This issue was discovered by dynamically linking to Red Hat's OpenSSL 1.1.1c (which has not yet been released). This might not be an issue for other platforms but we should still look into and verify that configuring FIPS is supported by adding this configuration option in openssl.cnf as discussed in #28507.
This issue is related to configuring OpenSSL FIPS support by using the OpenSSL configuration file:
$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"It should be possible to enable FIPS by setting fips_mode to true/yes in /etc/pki/tls/openssl.cnf:
openssl_conf = default_modules
[ default_modules ]
alg_section = evp_settings
[ evp_settings ]
fips_mode = true
Starting node with the above configuration:
$ OPENSSL_CONF=/etc/pki/tls/openssl.cnf ./node -p "require('crypto').getFips()"
openssl config failed: error:060B10A7:digital envelope routines:alg_module_init:fips mode not supported
0Note that it is possible to enable fips using --enable-fips:
./node --enable-fips -p "require('crypto').getFips()"
1Since OpenSSL in this case if modified to provide FIPS support and has not be released yet, I can't rule out that there is a bug/missing patch which is causing this.
I'm heading off on PTO tomorrow but I'll follow up on this when I get back in August.