Request for FIPS-Validated netty-tcnative release #799
Comments
|
I have no idea what this would entail at all, so if it's not too much work maybe do a PR and we can have a look ? |
normanmaurer
added a commit
that referenced
this issue
Oct 5, 2023
#821) ### Motivation: As discussed in [issue](#799), considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution. ### Setup Configurations: Tools: cmake 3.20, ninja build 1.10.0, clang-12, golang, java 11, maven 3.6.3, libapr1, automake, autoconf, libtool, libunwind-dev, pkg-config Fips validated BoringSSL commit used is 853ca1ea1168dff08011e5d42d94609cc0ca2e27 ### Build Steps: - Run Maven ``` mvn clean install -f boringssl-static/pom.xml -Pfips-boringssl-static ``` - While build is running you should see in logs: ``` ... Boringssl is fips compliant ... ``` - After build steps are completed you should see Jars eg. ``` .m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final.jar .m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar ``` ### Modifications: - Added pom profile `fips-boringssl-static` for fips compliant ### Tested on: Tested on linux AMD and ARM machine, which are supported as per FIPS security document attached in reference. Output: https://drive.google.com/file/d/1eAFUIrHLbB7xiTpxHPs__N3Ha_Ltli76/view?usp=sharing ### Reference: Guidance on how to build FIPS validated modules: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf --------- Co-authored-by: Norman Maurer <norman_maurer@apple.com>
|
@normanmaurer Is there anyway we can help to include #821 in build process? |
|
@normanmaurer Gentle nudge for above request. TIA |
|
In FIPS topic. I think to make FIPS mode to work, fipsModeSet need to be set (1) (https://javadoc.io/doc/io.netty/netty-tcnative/2.0.35.Final/io/netty/internal/tcnative/SSL.html#fipsModeSet-int-). But this seems to not be configurable option, so if someone want to use FIPS mode must set it in code. Am I right? If so, can we make that option user configurable when lib is initiated? |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Currently, users must fork the repository and rebuild with the FIPS-validated boringSSL tar to achieve FIPS compliance.
Considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution.
I'm willing to contribute by raising a pull request (PR) to help implement the FIPS-validated release.
The text was updated successfully, but these errors were encountered: