-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS #18662
Comments
I found meeting notes from the Node TSC where they discussed this. Master was recently updated to support OpenSSL 1.1.0, which does not yet have a FIPS module. The TSC discussed dropping FIPS support or moving to a FIPS-compliant SSL library, such as BoringSSL. As of right now, it appears that Node v10 will support both versions of OpenSSL, at least for a certain period of time. This will allow us to build Node 10 using the OpenSSL FIPS module, as long s we target the previous OpenSSL version. All this is subject to change based on Node's and OpenSSL's roadmap and release schedule. I don't want to recap it again here, and risk being out-of-date, but there is a great writeup in this PR which details the Node TSC's OpenSSL Strategy going forward. |
ResearchUsing https://github.com/legrego/docker-node-fips, I was able to get a FIPS-enabled Node.js runtime on my machine. Once that was up, I cloned the kibana repo into the container and tried running ReportingReporting failed to load. Reporting uses PUID, which uses MD5 to generate a machine uid. I opened a PR against this to change the algorithm to something that can run in a FIPS environment. OptimizerWebpack and the various loaders use quite a bit of hashing for file names, caching, etc. I managed to trace down and "fix" a number of the usages (see https://github.com/legrego/kibana/tree/fips-compliance for my WIP), but our version of webpack (3.6) has a hard-coded reference to MD5 that I can't find a way around. It appears that v4.6 (??) made this configurable via webpack/webpack@2acd0d4, but I'm not sure if it will fix our problem or not. Short URLThe Saved Object ID for Short Links is generated using MD5, and should be updated to use a different algorithm. If I understand this correctly, it shouldn't be a breaking change to update this, but I'd love for someone else to help confirm this. X-Pack Test SuiteThe X-Pack test suite cannot currently be run within a fips environment, for two reasons (so far):
Test ResultsI did manage to run the OSS test suite ( I'm still working through this -- I'll udpate this comment as I learn more. |
Since edits don't notify subscribers, can you drop a new comment whenever you make progress in the research? Even if that new comment is just "updated research with more progress" :) |
"Updated research with more progress" -- Added findings for Short Links, the x-pack test suite, and general test results. I'm going to set this aside, for now, to focus on Spaces/RBAC work, but I'll pick this up again as time/priorities permit. |
An update on the current state of affairs: OpenSSL's FIPS Object Module is only compatible with OpenSSL versions 1.0.1 and 1.0.2 . See [1]. So to summarize, Kibana runs on Node.js, and (based on my research) there are no supported versions of Node.js which are able to take advantage of FIPS. OpenSSL has plans to support FIPS again though. Their original goal was to have FIPS mode completed by the end of 2019, but that didn't happen. Once OpenSSL finishes their work, then Node.js will need to release an update to support the new version of OpenSSL. [1] https://wiki.openssl.org/index.php/FIPS_modules |
Related: nodejs/node#37072 |
Could I also point out that if you're using a distribution that has a certified FIPS modules (Ubuntu, RedHat and others have gone through the considerable expense of certifying OpenSSL libraries on their platforms) then it would be reasonable to assume people use those distros (in some part) because of those certifications: when working in the public sector space, one has to use FIPS certified libraries when it comes to encryption. With all due respect to both the fine Node programmers and OpenSSL themselves, relying and on a non-profit to be able to go through the same expense in getting them certified is (IMHO) a little shortsighted, as that means that anyone wanting to use Node in a public sector setting has to revert back to OpenSSL 1.0.2g - and in doing so, one opens themselves up to the vulnerabilities of a library that aged. Having Node be able to be built by dynamically linking to those certified libraries would mean that Node would be FIPS compliant, and so, therefore, would any application that relies on Node that sits on top of it. |
It's no longer required to build a custom version of Node.js to support FIPS: https://nodejs.org/api/crypto.html#fips-mode I haven't spend enough time looking into this to figure out which version of Node.js this became possible as these docs changes hasn't been backported to the previous versions. But I think it might have been added in Node.js 17 (Kibana is currently running Node.js 16 with a Node.js 18 upgrade coming soon). |
Next steps as I see them:
|
We want to check that enabling FIPS mode in Node.js doesn't somehow mess the places we need to run using |
@watson - Any progress on this, or a schedule by which we'll know the schedule? Thanks |
@jstibbards-elastic, @kc13greiner and I are your contacts for Kibana FIPS work at this point. Kurt, would you mind setting up some time for the three of us to chat next week to get @jstibbards-elastic caught up? |
The work to enable FIPS 140-2 support has completed, and will be available in a forthcoming release. |
Some users require only FIPS compliant cryptographic algorithms, so we'll have to look into running NodeJS with the
--force-fips
flag and see what all we have to change to make this work.We could potentially run this for all installs of Kibana, or optionally allow it to be turned on. It all depends on the limitations when running in this mode.
The
--force-fips
flag doesn't work out of the box, and instead we'll have to build NodeJS with FIPS support. v8.11.1 supports it per: https://github.com/nodejs/node/blob/v8.11.1/BUILDING.mdbut they removed support in master per:
https://github.com/nodejs/node/blob/master/BUILDING.md#building-nodejs-with-fips-compliant-openssl with further reasoning provided by @legrego below.
ES Issue for tracking FIPS compliance: elastic/elasticsearch#29851
The text was updated successfully, but these errors were encountered: