Introduction
In this post, we will see
- how we can build FIPS enabled openssl in docker.
- how we can enable a host FIPS enabled at kernel level
Note: I will not talk about what FIPS is all about.
Note: I have run below investigation on Centos-7
Dockerfile
FROM centos:7
RUN yum update -y
RUN yum -y install git libffi-devel libffi libxml2-devel libxslt-devel libjpeg-devel zlib-devel \
make cmake gcc wget bzip2-devel sqlite-devel curl \
&& yum groupinstall -y 'Development Tools'
ENV OPENSSL_FIPS=1
RUN mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz \
&& curl -O https://www.openssl.org/source/openssl-1.0.2t.tar.gz \
&& tar -xvf openssl-fips-2.0.16.tar.gz \
&& cd openssl-fips-2.0.16 \
&& ./config \
&& make install \
&& cd ../ \
&& rm -f openssl-fips-2.0.16.tar.gz \
&& rm -rf ./openssl-fips-2.0.16 \
&& tar -xvf openssl-1.0.2t.tar.gz \
&& cd openssl-1.0.2t \
&& ./config shared fips no-ssl2 no-ssl3 \
&& make depend \
&& make install \
&& echo "/usr/local/ssl/lib" > /etc/ld.so.conf.d/openssl-1.0.2t.conf \
&& ldconfig -v \
&& ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl \
&& openssl versionOpenssl provides FIPS enabled openssl source code, and we have to build it.
In above dockerfile, we are also installing fips module as suggested by openssl.
Note: In above base image centos:7, there was no prior openssl present.
Even if there is an old openssl present in your machine. We are installing it in a different folder: /usr/local/ssl
Build Docker image
docker build -t my-fips-openssl .FIPS Enabled Openssl
$ openssl version
OpenSSL 1.0.2t-fips 10 Sep 2019
Enabling FIPS support
It is important to note that, even if we install FIPS enabled Openssl, its not like algorithms like md5 is straightaway rejected.
We need to ask Openssl to enable FIPS.
See example:
$ openssl md5 <file>
You will get a valid md5
Enabling FIPS
OPENSSL_FIPS=1 openssl md5 <file>
Error setting digest md5
140584782555024:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:This proves that this works.
Enable a Host FIPS-Enabled at Kernel Level
Run below script and restart your host machine.
# Installing the dracut package
sudo yum install dracut-fips -y
# Taking backup of current initramfs
mv -v /boot/initramfs-$(uname -r).img{,.bak}
# Building FIPS enabled initramfs
dracut
# Setting kernel params
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
# This line is required in case someone runs grub2-mkconfig manually
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
# This line is required in case someone runs grub2-mkconfig manually
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grubNext
Lets see, how we can enable FIPS in Openssl via Python 3.7
Lets see, how we can enable FIPS in Openssl via Python 3.9
