How to build FIPS enabled Openssl in docker

February 26, 2021

Introduction

In this post, we will see

  • how we can build FIPS enabled openssl in docker.
  • how we can enable a host FIPS enabled at kernel level

Note: I will not talk about what FIPS is all about.

Note: I have run below investigation on Centos-7

Dockerfile

FROM centos:7

RUN yum update -y 
RUN yum -y install git libffi-devel libffi libxml2-devel libxslt-devel libjpeg-devel zlib-devel \
  make cmake gcc wget bzip2-devel sqlite-devel curl \
  && yum groupinstall -y 'Development Tools'

ENV OPENSSL_FIPS=1
RUN mkdir -p /usr/local/src/ \
  && cd /usr/local/src/ \
  && curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz \
  && curl -O https://www.openssl.org/source/openssl-1.0.2t.tar.gz \
  && tar -xvf openssl-fips-2.0.16.tar.gz \
  && cd openssl-fips-2.0.16 \
  && ./config \
  && make install \
  && cd ../ \
  && rm -f openssl-fips-2.0.16.tar.gz \
  && rm -rf ./openssl-fips-2.0.16 \
  && tar -xvf openssl-1.0.2t.tar.gz \
  && cd openssl-1.0.2t \
  && ./config shared fips no-ssl2 no-ssl3 \
  && make depend \
  && make install \
  && echo "/usr/local/ssl/lib" > /etc/ld.so.conf.d/openssl-1.0.2t.conf \
  && ldconfig -v \
  && ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl \
  && openssl version

Openssl provides FIPS enabled openssl source code, and we have to build it. In above dockerfile, we are also installing fips module as suggested by openssl.

Note: In above base image centos:7, there was no prior openssl present. Even if there is an old openssl present in your machine. We are installing it in a different folder: /usr/local/ssl

Build Docker image

docker build -t my-fips-openssl .

FIPS Enabled Openssl

$ openssl version
OpenSSL 1.0.2t-fips  10 Sep 2019

Enabling FIPS support

It is important to note that, even if we install FIPS enabled Openssl, its not like algorithms like md5 is straightaway rejected. We need to ask Openssl to enable FIPS.

See example:

$ openssl md5 <file>
You will get a valid md5

Enabling FIPS

OPENSSL_FIPS=1 openssl md5 <file>
 
Error setting digest md5
140584782555024:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:

This proves that this works.

Enable a Host FIPS-Enabled at Kernel Level

Run below script and restart your host machine.

# Installing the dracut package
sudo yum install dracut-fips -y
# Taking backup of current initramfs
mv -v /boot/initramfs-$(uname -r).img{,.bak}
# Building FIPS enabled initramfs
dracut
# Setting kernel params
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
# This line is required in case someone runs grub2-mkconfig manually
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub

uuid=$(findmnt -no uuid /boot)
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
# This line is required in case someone runs grub2-mkconfig manually
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub

Next

Lets see, how we can enable FIPS in Openssl via Python 3.7

Lets see, how we can enable FIPS in Openssl via Python 3.9

opensslfipssecuritypython

Similar Posts

Latest Posts