build: introduce --openssl-is-fips flag #25412
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
the
build
|
Do you have any more details on the FIPs certification that RedHat got for OpenSSL 1.1.1 that you can share? |
|
@danbev sorry to bike-shed on the config name, but I was a bit confused by why it had to exist until I read the configure code. The problem is that we only specify FIPS build flags ATM when linking against a FIPS canister ( Can we call the new flag |
I'll try to find some information about this that I can share. @sam-github I like the suggestion. I'll follow up on this on Friday (I'm not working tomorrow). Thanks |
danbev
force-pushed
the
crypto_dynlink_fips
branch
from
e7194b3 to
e0229a2
Compare
danbev
changed the title
sam-github
approved these changes
Jan 11, 2019
|
Re-run of failing node-test-commit-windows-fanned |
addaleax
approved these changes
Jan 14, 2019
addaleax
added
the
author ready
|
Re-run of failing node-test-commit-arm |
This was referenced Jan 16, 2019
This commit introduces a new configuration flag named
--openssl-is-fips which is intended to be used when linking against
an OpenSSL library that is FIPS compatible.
The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8)
comes with OpenSSL 1.1.1 and includes FIPS support, and we would
like to be able to dynamically link against this version and also have
FIPS features enabled in node, like would be done when statically
linking and using the --openssl-fips flag.
The suggestion here is to introduce a new flag:
$ ./configure --help
...
--openssl-is-fips specifies that the shared OpenSSL version is FIPS
compatible
This flag could be used in combination with the shared-openssl flag:
$ ./configure --shared-openssl ---openssl-is-fips
This will enable FIPS support in node and the runtime flags will be
availalbe to enable FIPS (--enable-fips, --force-fips).
Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors.
danbev
force-pushed
the
crypto_dynlink_fips
branch
from
e0229a2 to
8856979
Compare
|
Re-run of failing node-test-commit-arm-fanned ✔️ |
danbev
added a commit
that referenced
this pull request
Jan 17, 2019
This commit introduces a new configuration flag named
--openssl-is-fips which is intended to be used when linking against
an OpenSSL library that is FIPS compatible.
The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8)
comes with OpenSSL 1.1.1 and includes FIPS support, and we would
like to be able to dynamically link against this version and also have
FIPS features enabled in node, like would be done when statically
linking and using the --openssl-fips flag.
The suggestion here is to introduce a new flag:
$ ./configure --help
...
--openssl-is-fips specifies that the shared OpenSSL version is FIPS
compatible
This flag could be used in combination with the shared-openssl flag:
$ ./configure --shared-openssl ---openssl-is-fips
This will enable FIPS support in node and the runtime flags will be
availalbe to enable FIPS (--enable-fips, --force-fips).
PR-URL: #25412
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
danbev
added a commit
that referenced
this pull request
Jan 17, 2019
Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors. PR-URL: #25412 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
addaleax
pushed a commit
that referenced
this pull request
Jan 23, 2019
This commit introduces a new configuration flag named
--openssl-is-fips which is intended to be used when linking against
an OpenSSL library that is FIPS compatible.
The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8)
comes with OpenSSL 1.1.1 and includes FIPS support, and we would
like to be able to dynamically link against this version and also have
FIPS features enabled in node, like would be done when statically
linking and using the --openssl-fips flag.
The suggestion here is to introduce a new flag:
$ ./configure --help
...
--openssl-is-fips specifies that the shared OpenSSL version is FIPS
compatible
This flag could be used in combination with the shared-openssl flag:
$ ./configure --shared-openssl ---openssl-is-fips
This will enable FIPS support in node and the runtime flags will be
availalbe to enable FIPS (--enable-fips, --force-fips).
PR-URL: #25412
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
addaleax
pushed a commit
that referenced
this pull request
Jan 23, 2019
Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors. PR-URL: #25412 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit introduces a new configuration flag named
--openssl-is-fipswhich is intended to be used when linking againstan OpenSSL library that is FIPS compatible.
The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8)
comes with OpenSSL 1.1.1 and includes FIPS support, and we would
like to be able to dynamically link against this version and also have
FIPS features enabled in node, like would be done when statically
linking and using the
--openssl-fipsflag.The suggestion here is to introduce a new flag:
This flag could be used in combination with the
--shared-opensslflag:$ ./configure --shared-openssl --openssl-is-fipsThis will enable FIPS support in node and the runtime flags will be
availalbe to enable FIPS (
--enable-fips,--force-fips).Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes