-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: introduce --openssl-is-fips flag #25412
Conversation
Do you have any more details on the FIPs certification that RedHat got for OpenSSL 1.1.1 that you can share? |
@danbev sorry to bike-shed on the config name, but I was a bit confused by why it had to exist until I read the configure code. The problem is that we only specify FIPS build flags ATM when linking against a FIPS canister ( Can we call the new flag
|
I'll try to find some information about this that I can share. @sam-github I like the suggestion. I'll follow up on this on Friday (I'm not working tomorrow). Thanks |
e7194b3
to
e0229a2
Compare
Re-run of failing node-test-commit-windows-fanned |
Re-run of failing node-test-commit-arm |
This commit introduces a new configuration flag named --openssl-is-fips which is intended to be used when linking against an OpenSSL library that is FIPS compatible. The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8) comes with OpenSSL 1.1.1 and includes FIPS support, and we would like to be able to dynamically link against this version and also have FIPS features enabled in node, like would be done when statically linking and using the --openssl-fips flag. The suggestion here is to introduce a new flag: $ ./configure --help ... --openssl-is-fips specifies that the shared OpenSSL version is FIPS compatible This flag could be used in combination with the shared-openssl flag: $ ./configure --shared-openssl ---openssl-is-fips This will enable FIPS support in node and the runtime flags will be availalbe to enable FIPS (--enable-fips, --force-fips).
Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors.
e0229a2
to
8856979
Compare
Re-run of failing node-test-commit-arm-fanned ✔️ |
This commit introduces a new configuration flag named --openssl-is-fips which is intended to be used when linking against an OpenSSL library that is FIPS compatible. The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8) comes with OpenSSL 1.1.1 and includes FIPS support, and we would like to be able to dynamically link against this version and also have FIPS features enabled in node, like would be done when statically linking and using the --openssl-fips flag. The suggestion here is to introduce a new flag: $ ./configure --help ... --openssl-is-fips specifies that the shared OpenSSL version is FIPS compatible This flag could be used in combination with the shared-openssl flag: $ ./configure --shared-openssl ---openssl-is-fips This will enable FIPS support in node and the runtime flags will be availalbe to enable FIPS (--enable-fips, --force-fips). PR-URL: #25412 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors. PR-URL: #25412 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit introduces a new configuration flag named --openssl-is-fips which is intended to be used when linking against an OpenSSL library that is FIPS compatible. The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8) comes with OpenSSL 1.1.1 and includes FIPS support, and we would like to be able to dynamically link against this version and also have FIPS features enabled in node, like would be done when statically linking and using the --openssl-fips flag. The suggestion here is to introduce a new flag: $ ./configure --help ... --openssl-is-fips specifies that the shared OpenSSL version is FIPS compatible This flag could be used in combination with the shared-openssl flag: $ ./configure --shared-openssl ---openssl-is-fips This will enable FIPS support in node and the runtime flags will be availalbe to enable FIPS (--enable-fips, --force-fips). PR-URL: #25412 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Currently, while FIPS is not supported yet for this release there might be an option to dynamically link against a FIPS compatible OpenSSL version. This commit fixes the compiler errors. PR-URL: #25412 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit introduces a new configuration flag named
--openssl-is-fips
which is intended to be used when linking againstan OpenSSL library that is FIPS compatible.
The motivation for this is that Red Hat Enterprise Linux 8 (RHEL8)
comes with OpenSSL 1.1.1 and includes FIPS support, and we would
like to be able to dynamically link against this version and also have
FIPS features enabled in node, like would be done when statically
linking and using the
--openssl-fips
flag.The suggestion here is to introduce a new flag:
This flag could be used in combination with the
--shared-openssl
flag:$ ./configure --shared-openssl --openssl-is-fips
This will enable FIPS support in node and the runtime flags will be
availalbe to enable FIPS (
--enable-fips
,--force-fips
).Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes