Is it possible to set OpenSSL in FIPS mode?

[diazdiego86]

Description

I've read the documentation and I was wondering if there is a configuration for setting OpenSSL in Fips mode.

Checklist

Please provide the following information:

• librdkafka version (release number or git tag): 0.9.1
• Apache Kafka version:
• librdkafka client configuration:
• Operating system: GNU/Linux
• Using the legacy Consumer
• Using the high-level KafkaConsumer
• Provide logs (with debug=.. as necessary) from librdkafka
• Provide broker log excerpts
• Critical issue

[edenhill]

Not currently no.

There is this, which seems simple enough:
https://wiki.openssl.org/index.php/FIPS_mode_set()

Do you think anything else is required?

[diazdiego86]

I don't think so... I was just thinking it would be nice to do this FIPS_mode_set() at librdkafka, not at the application layer since this one doesn't know anything about openssl.

Thanks for the quick response, Magnus

[edenhill]

Sure, I can add a config setting for that, e.g.:
ssl.fips.mode.enable=true

Sounds good?

[diazdiego86]

Yeah, sounds great!

Thanks!

[edenhill]

Come to think of it this is a global setting covering all SSL contexts, not only those in use by librdkafka, so having this as a config option could pose a security risk to the application.

[diazdiego86]

You're right. I'll need to handle this at the app level.

Thank you, again