-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TT-8735] FIPS mode for Tyk #4559
Comments
For the ones who need more context, here are good article explaining what it is in Go context:
As for Tyk itself, it feels that supporting FIPS will be compiling Tyk with a modified version of Go. Also I found relatively recent news that BoringCrypto support was merged as experimental feature to Go upstream golang/go#51940, and it is possible to use it starting from Go 1.19. At the moment we do have plan for ugrading to newer Go in next major release, but also have not yet decided if it will be 1.18 or 1.19. This request will defo change the weight in side of 1.19, but no guaratees of it yet. Also keep in mind that we try to prioritise features based usage data, customer value and overall feedback. So if you are existing Tyk customer, pls also ping us to a support@tyk.io, it will help us with prioritization. If not, why are you still not a customer? 😄 But if serious, in any case write to us, and maybe you can be our early tester and help us build this functionality. Thank you! |
Hey @buger, thanks for your response!
|
Have not tried this Dockerfile personally yet, but I see a mistake that you set GOEXPERIMENT variable before building plugin, and not for tyk itself. So the last line can look like:
|
That was the thing! missed that 'go build' line. Thank you @buger |
Hey @buger, |
As I can see it is not really about replacing all import, but just adding this import anywhere to code, look at comment here https://go.googlesource.com/go/+/dev.boringcrypto/src/crypto/tls/fipsonly/fipsonly.go E.g. it should have
|
@erweinst Just following up, how its going? |
Hey @buger, the compilation part and the symbols validation part looks ok. |
Hello @buger, I could not find any relevant information about this, Thanks! |
@DavidTal this error comes from URLRewite missconfiguration, some variable which you use there has issues. |
@erweinst @DavidTal I did some deeper investigation, and in general in our to get FIPS compilance it is require to ensure that application use specific ciphers for all incoming and outgoing communications. And tyk allows dynamically configure most of it, without re-compilation. I created very early draft for such docs, what do you think? Thanks! |
@buger that is awesome! A couple of notes/questions:
|
Hope it makes sense! |
Hello @buger After upgrading to branch v4.0.3 as suggested I have noticed some behavior changes. Yet in the current v4.0.3 version we get: In the code I see that the auth_manager.go was changed, then KeyAuthorised function was removed. Does it explain the difference in the response code? Another issue that I see is the message in the log: Thanks! |
@DavidTal would be great to move this to a separate github issue, since it is not relevant to FIPS 😅 Overall it depends on from which version you are migrating, it is OK, to have some small changes in logging between major versions. But this specific message depeends on context, because "Key not authorised" message is still used by OpenID, oAuth and Coprocess plugins, so it depends on auth method you have, and can be some other symptom https://github.com/search?q=repo%3ATykTechnologies%2Ftyk+%22Key+not+authorised%22&type=code As for tyk_meta, it depends where it was used. If it used in URLRewrite it is a one thing, if it used on body transformation, it may require setting Line 234 in a36064a
|
Hi @buger |
@DavidTal this is VERY OLD version, and not supported for a few years at least. So even from this point of view, better migrate to 4.0.X branch. But overall feels that this option were available in 2.5 version https://github.com/TykTechnologies/tyk/blob/v2.5.5/apidef/api_definitions.go#L83 |
@erweinst I made my PR passing tests, and generated unstable images/packages under v5.0.0-fips tag, in our unstable channel: https://packagecloud.io/tyk/tyk-gateway-unstable?page=1 Keep in mind this is early RC and we do not yet know in which release it will land, and how we will treat it commercially, but i'm positive. Thanks! |
To give an update on this - we are looking to add FIPS compliance to the Tyk stack towards the end of this year. I'll update this channel as we make progress. Thanks for supporting Tyk! |
awk 'NR==4{print "\t_ "crypto/tls/fipsonly""}1' main.go > /tmp/main.go && mv -f /tmp/main.go main.go |
@andyo-tyk any update? |
Sorry for the much later than planned update on this - and unfortunately it's not the news I wanted to be able to share. Following significant discussion with our legal team, we've identified that Tyk is unable to provide a formal FIPS version of the OSS Gateway due to the legal implications this could entail. Please see this docs page for the details and, if you're a licensed customer of Tyk please speak to your Account Manager if you require further information. |
Is your feature request related to a problem? Please describe.
We are using Tyk as our main api gateway in a numerous products running in production. It is a containerized version we compile from the code base and push it to an internal docker registry.
As for a security auditing process we are running, we need to ensure all components are FIPS compliant.
Nginx has that option available: https://docs.nginx.com/nginx/fips-compliance-nginx-plus/
Describe the solution you'd like
We'd like to have Tyk with FIPS mode.
Describe alternatives you've considered
Unfortunately we don't have alternatives. We must have this FIPS mode on or we need to migrate to another gateway solution.
The text was updated successfully, but these errors were encountered: