OpenSSL-FIPS - netty-tcnative

[Mallik Soupati]

I would like to build netty-tcnative project locally, to generate openssl-static jar. In fact, I was able to do it, and it works fine. But, my requirement include to link OpenSSL with FIPS to netty-tcnative. Is there an easy way to do that, by changing the build process/scripts. Or please let me know if that feature is already in place.

thanks.

[Norman Maurer]

I think your best bet is to adjust the openssl-static/pom.xml file. There is “build-openssl” id which define how openssl is built. Let me know if you have any more questions.

Bye

Norman

On 25. Jun 2018, at 13:13, Mallik Soupati <malli...@gmail.com> wrote:

I would like to build netty-tcnative project locally, to generate openssl-static jar. In fact, I was able to do it, and it works fine. But, my requirement include to link OpenSSL with FIPS to netty-tcnative. Is there an easy way to do that, by changing the build process/scripts. Or please let me know if that feature is already in place.

thanks.

--
You received this message because you are subscribed to the Google Groups "Netty discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netty+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netty/abdeac16-dcb9-4c31-977e-98e05a40b131%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mallik Soupati]

I was exactly looking at that file. Wow, thanks a lot. I will update once I build, in few hours.

thanks,

[Mallik Soupati]

I can see OpenSSL built with FIPS.

Change:

tcnative-src/netty-tcnative/openssl-static/pom.xml

<mkdir dir="${sslHome}" />
                    <exec executable="config" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
                      <arg line="fips --with-fipsdir=/data/ssl/fips2.0 -O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --openssldir=${sslHome}" />

Verify:

[root@localmail bin]# pwd

/home/eng/tcnative-src/netty-tcnative/openssl-static/target/ssl/bin
[root@localmail bin]# ./openssl
OpenSSL> version
OpenSSL 1.0.2n-fips  7 Dec 2017
OpenSSL>

thanks,

[Norman Maurer]

Cool…

If you have any more question just ask, happy to help.

Norman

To view this discussion on the web visit https://groups.google.com/d/msgid/netty/af1879ae-2b53-4ea7-82c3-522d604c95c1%40googlegroups.com.

[Mallik Soupati]

I thank you and appreciate your efforts in Netty projects.

I am posting my second question on the same thread since it is related to FIPS yet again.Though I built netty-tcnative with static linked OpenSSL(FIPS), how would I know if netty-tcnative is really calling FIPS module's API. I didn't notice yet any configuration that call something like " FIPS_mode_set() ". Unless the application is really using OpenSSL FIPS mode, we can't call it compliant.

Please advise if there a way around it.

Please let me know if my question is not clear enough to express the issue.

thanks,

[Norman Maurer]

I suspect you would need to call these method calls by yourself or alternative we could add these if FIPS is used. I never used FIPS so I am not sure what exactly would be expected to be called and when tho :(

Bye

Norman

To view this discussion on the web visit https://groups.google.com/d/msgid/netty/f2b950cc-7111-4199-b942-e44848593fd0%40googlegroups.com.

[Mallik Soupati]

Though I am not sure how to get it to work with Netty at this moment, I have quickly gone through Tomcat 9/tcnative doc and found that it has implementation for FIPSMODE, its a JNI call.

Here are the files I quickly gone through:

----------------------

Tomcat 9:
https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html#APR_Lifecycle_Listener_-_org.apache.catalina.core.AprLifecycleListener
org/apache/catalina/core/AprLifecycleListener.java
org/apache/tomcat/jni/SSL.java

netty-tcnative:
io/netty/internal/tcnative/SSL.java
c/ssl.c

-----------------------

I think it can be implemented in netty-tcnative as well.

[Norman Maurer]

Thanks for the pointers.

Can you try to build your netty-tcnative from the branch used in this PR (you still will need to enable FIPS as you did before when compiling):

https://github.com/netty/netty-tcnative/pull/367

Then in your have code use the following:

OpenSsl.ensure Available();

SSL.setFipsMode(1);

This needs to be done before you try to use any SSL stuff in netty. 

Let me know if this works. If it does we can see how to make this a bit easier.

To view this discussion on the web visit https://groups.google.com/d/msgid/netty/97c36b82-f6f8-414c-a219-fedd823f3374%40googlegroups.com.

[Mallik Soupati]

I will update here.

thanks,

[Norman Maurer]

Any update ?

To view this discussion on the web visit https://groups.google.com/d/msgid/netty/82e39498-91ff-4bd1-844b-6e7fb7f133aa%40googlegroups.com.

[Mallik Soupati]

I checked out the pull request: https://github.com/netty/netty-tcnative/pull/367

built it with the following local changes:

[root@localmail netty-tcnative]# pwd
/home/eng/tcnative-src/netty-tcnative
[root@localmail netty-tcnative]# git diff
diff --git a/openssl-static/pom.xml b/openssl-static/pom.xml
index 146292b..420529c 100644
--- a/openssl-static/pom.xml
+++ b/openssl-static/pom.xml
@@ -228,7 +228,7 @@

 
                     <mkdir dir="${sslHome}" />
                     <exec executable="config" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">

-                      <arg line="-O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --openssldir=${sslHome}" />
+                      <arg line="fips --with-fipsdir=/data/ssl/fips2.0 -O3 -fno-omit-frame-pointer -fPIC no-ssl2 no-ssl3 no-shared no-comp -DOPENSSL_NO_HEARTBEATS --prefix=${sslHome} --open
                     </exec>
                     <exec executable="make" failonerror="true" dir="${opensslBuildDir}" resolveexecutable="true">
                       <arg value="depend" />
diff --git a/pom.xml b/pom.xml
index 35a5e1f..2dfe98c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -65,8 +65,8 @@
         - Record the sha256: sha1sum -a 256 libressl-{libresslVersion}.tar.gz (shasum on osx)
     -->
     <libresslSha256>1e3a9fada06c1c060011470ad0ff960de28f9a0515277d7336f7e09362517da6</libresslSha256>
-    <opensslMinorVersion>1.1.0</opensslMinorVersion>
-    <opensslPatchVersion>h</opensslPatchVersion>
+    <opensslMinorVersion>1.0.2</opensslMinorVersion>
+    <opensslPatchVersion>o</opensslPatchVersion>
     <opensslVersion>${opensslMinorVersion}${opensslPatchVersion}</opensslVersion>
     <opensslSha256>5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517</opensslSha256>
     <aprHome>${project.build.directory}/apr</aprHome>
[root@localmail netty-tcnative]

Everything went well. I was able to initialize FIPS mode with SSL.setFipsMode(1). However, I didnt not verify any specific FIPS features yet. I will update eventually when I try anything specific. For now it is only to make sure that code got built and ran without errors.

[Mallik Soupati]

Hi Norman,

I posted the update in the group.

I could initialize FIPS in my application without errors by calling fipsModeSet.

thanks,

Any update ?

To unsubscribe from this group and stop receiving emails from it, send an email to netty+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/netty/82e39498-91ff-4bd1-844b-6e7fb7f133aa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

How easy it is to mock the sun: The light by which it is caught is its own !

[Mallik Soupati]

As per the User guide : https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

Pages: 15,16,30

FIPS 2.0 (recommended) is compatible with OpenSSL 1.0.1 and 1.0.2 versions. However, tcnative builds the latest OpenSSL (1.1.0), it needs to be take care, as well.

thanks,

[Norman Maurer]

alright once you have verified that everything really works once enabled let me know and I will merge the PR.

Thanks

Norman