Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply Ruby patch to enable FIPS with OpenSSL 3 #804

Merged
merged 1 commit into from
Mar 15, 2024
Merged

Apply Ruby patch to enable FIPS with OpenSSL 3 #804

merged 1 commit into from
Mar 15, 2024

Conversation

mhashizume
Copy link
Contributor

Prior to this commit, attempting to enable fips_mode in Ruby 3.2.3's OpenSSL gem would cause the error "This version of OpenSSL does not support FIPS mode (OpenSSL::OpenSSLError)". This was due to OpenSSL removing the FIPS_mode() function in OpenSSL 3, which Ruby previously relied on to detect if FIPS was enabled.

Upstream has fixed this incompatibility with OpenSSL 3 in Ruby 3.3. The contributor has indicated that the fix should be backported to Rubies 3.0-3.2 in the future.

This commit applies Ruby's fix as a patch.

See also:

@mhashizume mhashizume force-pushed the PA-5865/master/fips-detection branch from 87102b1 to 28b5670 Compare March 14, 2024 22:36
@mhashizume
Copy link
Contributor Author

The original Ruby patch modified two files, but I removed the patched test file as it caused compilation failures that I did not fully understand (and I assumed that we don't need to ship Ruby's tests).

@mhashizume
Apply Ruby patch to enable FIPS with OpenSSL 3
1de4038 
Prior to this commit, attempting to enable fips_mode in Ruby 3.2.3's
OpenSSL gem would cause the error "This version of OpenSSL does not
support FIPS mode (OpenSSL::OpenSSLError)". This was due to OpenSSL
removing the FIPS_mode() function in OpenSSL 3, which Ruby previously
relied on to detect if FIPS was enabled.

Upstream has fixed this incompatibility with OpenSSL 3 in Ruby 3.3. The
contributor has indicated that the fix may be backported to Rubies
3.0-3.2 in the future.

This commit applies Ruby's fix as a patch.

See also:
- ruby/ruby@678d41b
- https://bugs.ruby-lang.org/issues/20000
@mhashizume mhashizume force-pushed the PA-5865/master/fips-detection branch from 28b5670 to 1de4038 Compare March 14, 2024 22:54
@mhashizume
Copy link
Contributor Author

To be clear: this patch enables us to turn on OpenSSL.fips_mode, but it is not turned on by default:

[root@unnamed-summary ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)
[root@unnamed-summary ~]# fips-mode-setup --check
FIPS mode is enabled.
[root@unnamed-summary ~]# /opt/puppetlabs/puppet/bin/ruby -v
ruby 3.2.3 (2024-01-18 revision 52bb2ac0a6) [x86_64-linux]
[root@unnamed-summary ~]# /opt/puppetlabs/puppet/bin/irb
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL.fips_mode
=> false
irb(main):003:0> OpenSSL.fips_mode = true
=> true

@mhashizume mhashizume marked this pull request as ready for review March 15, 2024 16:28
@mhashizume mhashizume requested review from a team as code owners March 15, 2024 16:28
@joshcooper joshcooper merged commit 096e683 into puppetlabs:master Mar 15, 2024
3 checks passed
@mhashizume mhashizume deleted the PA-5865/master/fips-detection branch March 15, 2024 18:32
@joshcooper joshcooper added the bug Something isn't working label Apr 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshcooper joshcooper joshcooper approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mhashizume @joshcooper