Node 4.2: Unable to run Node in non-FIPS mode if compiled with FIPS support #3819
Comments
|
/cc @mhdawson |
mscdex
added
tls
|
@lordjabez in what cases are you seeing npm fail with FIPS turned on ? I agree an option to turn on /off would likely be useful @stefanmb |
|
At first look MD5 dependencies in npm are not well justified. I'm trying to fix them. |
|
Certainly if npm can be made to run with FIPS mode active, that's a good thing. But in any case I agree with @mhdawson that some form of runtime switch is needed to make a FIPS validated Node practical. I'm pushing my company pretty hard to move our entire tech stack to Node, and running FIPS validated is a key part of that. |
|
Another complication is that the test cases will become much more complex: (1) Turn on FIPS. |
|
I had better luck with npm and FIPS after the following patches: I'll see if I can get them accepted. There is still the issue regarding native modules #3815 which will have to be addressed. |
|
Not sure, whether this applies to 4.x as well, however, I had to fix v5.0.0 too because it never called FIPS_mode() (and if compiled with -DFIPS_NODE it calls fips_mode_set(1) again and again w/o need, which in turn causes annoying messages)! Anyway, see http://iws.cs.uni-magdeburg.de/~elkner/tmp/node5/ssl.patch and look for 'FIPS_mode()' (2 places) - the major problem. BTW: I think the major issue here is, that it is assumed, that a FIPS capable lib is always used with FIPS_mode set to 1. This is wrong! Actually one doesn't need a non-FIPS capable OpenSSL lib at all, if the application provides a mechanism, to switch it on on demand (e.g. node --fips), because basically only than the non-FIPS compliant stuff gets switched off. |
|
@stefanb I could be wrong but I didn't think you could turn it on/off, more that you have to set it one way or the other before any crypto is used. |
|
I have made PR #5181 to resolve outstanding issues here. |
|
Closing since change is now in master. Since the change is semver major it won't go into 4.X or 5.X. |
As currently implemented, when Node is compiled with FIPS support (
./configure fips), there is no way to disable engaging FIPS mode during execution. This means that several functions that rely on non-FIPS approved algorithms (e.g. md5 hashing) will fail, as will any code that depends on them (most obviously,npm).What seems needed to me is a way to explicitly enable or disable FIPS operation each time node is invoked. The way this is done with the openssl CLI is via the OPENSSL_FIPS environment variable.
It is straightforward to add a similar capability to Node. A pull request with a suggested implementation is forthcoming.
The text was updated successfully, but these errors were encountered: