RabbitMQ- FIPS Mode

[Satheesh Kumar]

Hi  

I'm running openssl 1.0.2 and erlang 25.2.3, both with fips enabled.
Now I want to enable fips mode in rabbitmq; so for that i have removed tlsv1.1 and then added fips supported ciphers and also added  {crypto, [{fips_mode, true}]} in advance.config.

Do we need to add only {crypto, [{fips_mode, true}]} or anyother configuration needed

I tried the following configuration but received an error.

Sample Config

{rabbitmq_web_stomp,
  [
   {use_http_auth, true},
   {ssl_config, [{port,     15672},
                 {backlog,    1024},
                 {recbuf, 32768},
                 {sndbuf, 32768},
                 {cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
                 {certfile, "/etc/rabbitmq/ssl/server.pem"},
                 {keyfile, "/etc/rabbitmq/ssl/server.key"},
                 {versions, ['tlsv1.2']},
                 {dhfile, "/etc/rabbitmq/ssl/dh-params.pem"},
                 {ciphers,  [
                   {ecdhe_ecdsa,aes_128_gcm,null,sha256},
                   {ecdhe_rsa,aes_128_gcm,null,sha256}]},
                 {crypto, [{fips_mode, true}]}
                ]}

    ]},

[Luke Bakken]

Hello,

Does it make sense to enable FIPS using an out-of-support version of OpenSSL? Which do you think is more secure - FIPS, or an OpenSSL with bug fixes and security patches?

[Satheesh Kumar]

Hello Luke,

Since Ubuntu and RHEL provide openssl 1.1.1 in FIPS mode, and this version of openssl is still valid, I'll migrate to that, but what configuration changes do we need to make in RabbitMQ to make it FIPS compliant?

As of now 

1. {crypto, [{fips_mode, true}]} in advanced.config 

2. Added fips enabled ciphers 

3. Removed tls 1.1

[Satheesh Kumar]

Hello Luke

Can you please provide the solution

Since Ubuntu and RHEL provide openssl 1.1.1 in FIPS mode, and this version of openssl is still valid, I'll migrate to that, but what configuration changes do we need to make in RabbitMQ to make it FIPS compliant?

As of now i have done

1. {crypto, [{fips_mode, true}]} in advanced.config 

2. Added fips enabled ciphers 

3. Removed tls 1.1

[Luke Bakken]

Hello,

Do NOT reply to your message to "bump" it - it is very rude.

We try to respond within a week to all messages posted to this mailing list. If this is an urgent issue, paid support for RabbitMQ is available - https://www.rabbitmq.com/#support

You made the statement "I tried the following configuration but received an error" but didn't provide the error, so I can't assist you further.

Thanks,

Luke

[dca...@vmware.com]

There is no FIPS module for OpenSSL 1.1.   
https://wiki.openssl.org/index.php/FIPS_modules

[Satheesh Kumar]

Hello Luke

No the last question  I was asking 

If I use the RHEL image there it support  openssl 1.1.1 in FIPS mode(Valid till September 2023)

So on top of that I can build erlang  in FIPS mode.

I just wanted to know what are configuration  I need to do in rabbitmq 

As of now I have changed  the following  configuration in rabbitmq. Please let me know what else I can add in rabbitmq to make it FIPS compliant 

1. {crypto, [{fips_mode, true}]} in advanced.config 

2. Added fips enabled ciphers 

3. Removed tls 1.1

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/LkFYajvZTO0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/01cf909a-66b4-41d4-a182-272e81b6bda6n%40googlegroups.com.

[Satheesh Kumar]

Also want to know

If we can we use any of the following commands to verify the FIPS mode

rabbitmqctl eval 'rabbit_fips:status().'
rabbitmqctl eval 'application:get_env(rabbit, fips_mode).'
rabbitmqctl eval 'ssl:info().'

rabbitmqctl eval 'ssl:system_info(fips_mode).'
rabbitmqctl eval 'ssl:system_info(crypto, fips_mode).'

rabbitmqctl environment | grep fips_mode

[Luke Bakken]

Hello,

Please read this discussion with regard to OpenSSL 1.1.1 and FIPS - https://github.com/openssl/openssl/issues/7582

https://github.com/openssl/openssl/issues/7582#issuecomment-497515823

This means that the Ubuntu/RHEL OpenSSL 1.1.1 that includes FIPS is not official. Be warned!

rabbitmqctl eval 'rabbit_fips:status().'
rabbitmqctl eval 'application:get_env(rabbit, fips_mode).'
rabbitmqctl eval 'ssl:info().'

rabbitmqctl eval 'ssl:system_info(fips_mode).'
rabbitmqctl eval 'ssl:system_info(crypto, fips_mode).'

rabbitmqctl environment | grep fips_mode

Have you actually run any of the commands you list above? 

Please see the Erlang docs to see what functions are in the "ssl" module (hint, system_info is not one of them) - https://www.erlang.org/doc/man/ssl.html

 

https://www.erlang.org/doc/apps/crypto/fips.html

Luke

[Satheesh Kumar]

This means that the Ubuntu/RHEL OpenSSL 1.1.1 that includes FIPS is not official. Be warned! - Yes i understand the risk 


I have run all the commands  but this alone worked 

/ $ rabbitmqctl environment | grep fips_mode

 

 {crypto,[{fips_mode,true},{rand_cache_size,896}]},

Also want to know from rabbitmq perspective what are changes i need to make other than the following change

1. {crypto, [{fips_mode, true}]} in advanced.config 

2. Added fips enabled ciphers in  ssl

3. Removed tls 1.1 in ssl

Thanks and Regards

Satheesh Kumar SS

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/LkFYajvZTO0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/c4d880cb-c825-44f6-9350-5f5bf6a5346en%40googlegroups.com.

[Satheesh Kumar]

Hi Luke,

Can you reply to the above questions.

[Luke Bakken]

https://groups.google.com/g/rabbitmq-users/c/LkFYajvZTO0/m/A_04ceV9BgAJ

Just a few days ago I asked that you not bump a conversation to get a response.

All the software you are using is open source, so you can answer your own question:

https://github.com/erlang/otp/ (https://www.erlang.org/doc/man/ssl.html, https://www.erlang.org/doc/apps/crypto/fips.html)

https://github.com/rabbitmq/rabbitmq-server/

https://github.com/openssl/openssl/

[Satheesh Kumar]

Hi Luke,

I unable to identify what else i need to do apart from the configuration i mentioned above and also verification steps

could you please point to the exact one

[Luke Bakken]

If the Erlang VM you are using has been compiled with FIPS support, then setting {crypto, [{fips_mode, true}]} in advanced.config will enable it for Erlang (and thus RabbitMQ).

As I pointed out earlier, the above is documented here:https://www.erlang.org/doc/apps/crypto/fips.html#enabling-fips-mode

You can confirm the above by running the following command:

rabbitmqctl eval 'crypto:info_fips().'

I don't believe steps 2 or 3 are necessary as crypto algorithms that are not supported by FIPS will be disabled within OpenSSL. Again, that is documented in the link I provided, as well as the OpenSSL documentation.

On Wednesday, March 22, 2023 at 11:15:00 AM UTC-7 sathee...@gmail.com wrote:

Hi Luke,

I unable to identify what else i need to do apart from the configuration i mentioned above and also verification steps

could you please point to the exact one

[Rin Kuryloski]

It may be necessary to set that config via the `RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS` environment variable, `RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS="-crypto fips_mode true" instead of using advanced config.

The erlang docs state "Set the fips_mode configuration setting of the crypto application to true before loading the crypto module.", and crypto may have already been loaded by the time advanced config is parsed.

If rabbitmqctl eval 'crypto:info_fips().' reported the expected value with advanced config, then I guess I am mistaken and either option should work.

[Satheesh Kumar]

Hello Luke,

I have been following your discussion regarding the ticket on GitHub (https://github.com/erlang/otp/issues/6406). Based on that, I wanted to confirm if it will be possible for us to compile Erlang in FIPS mode using OpenSSL 3.0.9.

[Luke Bakken]

Satheesh -

You're going to have to be patient for the Erlang team at Ericsson to finish the work and include FIPS support in an OTP release. If you'd like to speed up the process, you could *pay* for it to be prioritized. I would contact Ericsson or Erlang Solutions.

You could follow my instructions to compile your own Erlang with FIPS support, however it would be untested and completely unsupported. Seems like a bad idea to me.

[Luke Bakken]

OTP 26.1 will include FIPS support -

https://github.com/erlang/otp/pull/7392#issuecomment-1609617966

Please note that you must configure OpenSSL to enable the FIPS provider.