-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS support in Fluentd #3121
Comments
What changes are needed in fluentd core? |
@javsalgar I'd love to better understand the use case for FIPS |
Hi, any progress on this? couldn't find any other topics discussing this thread |
@javsalgar Please share your findings on this |
Most governments require FIPS-validation. It's an absolute requirement by the US government. |
+1 |
1 similar comment
+1 |
To support OpenSSL FIPS on Fluentd, users must install openssl library with FIPS support. This module sometimes isn't provided for non-commercial distribution such as Ubuntu. So, users ought to compile it with fips support by themselves if users don't use commercial distributions. I found the some hints to enable FIPS mode: If the FIPS enabled libraries are installed, users must enable FIPS module as follows:
The current status of FIPS support on ruby/openssl is here: |
According to ruby/openssl#603 and https://github.com/ruby/openssl/releases/tag/v3.2.0, all of FIPS support effort is not fully merged in v3.2.0, so need to wait newer ruby/openssl release. (e.g. ruby/openssl#694 was fixed after v3.2.0) As it depends on user environment, so it seems that there is few space to deal in Fluentd side, isn't it? If it is easy to detect whether running FIPS compliant openssl from Fluentd side, checking it in Fluentd side may be reasonable. (e.g. |
Yup. It's reasonable. We're only able to switch on/off or to detect whether FIPS is enabled or not. |
Hi, any update on this enhancement? |
ensure_fips option checks whether FIPS mode is enabled by OpenSSL side. If FIPS is not enabled in OpenSSL side, it raise an error when ensure_fips true. NOTE: If FIPS mode is enabled, ensure_fips does nothing. Closes: fluent#3121 Signed-off-by: Kentaro Hayashi <[email protected]>
ensure_fips option checks whether FIPS mode is enabled by OpenSSL side. If FIPS is not enabled in OpenSSL side, it raise an error when ensure_fips true. NOTE: If FIPS mode is enabled, ensure_fips does nothing. Closes: fluent#3121 Signed-off-by: Kentaro Hayashi <[email protected]>
ensure_fips option checks whether FIPS mode is enabled by OpenSSL side. If FIPS is not enabled in OpenSSL side, it raise an error when ensure_fips true. NOTE: If FIPS mode is enabled, ensure_fips does nothing. Closes: fluent#3121 Signed-off-by: Kentaro Hayashi <[email protected]>
ensure_fips option checks whether FIPS mode is enabled by OpenSSL side. If FIPS is not enabled in OpenSSL side, it raise an error when ensure_fips true. NOTE: If FIPS mode is enabled, ensure_fips does nothing. Closes: #3121 Signed-off-by: Kentaro Hayashi <[email protected]>
Check CONTRIBUTING guideline first and here is the list to help us investigate the problem.
Is your feature request related to a problem? Please describe.
I would like to confirm that it is possible to configure Fluentd to only use FIPS-validated cryptography. I saw that starting with 0.14.12 there is support for SSL when forwarding. Would using a FIPS-validated OpenSSL be enough or there are other encryption functions that need to be configured in order to be FIPS-compliant (https://docs.pulsesecure.net/WebHelp/PCS/9.1R4/AG/Content/PCS/PCS_AdminGuide/Supported_Cipher_Suites_When_2.htm)
Describe the solution you'd like
A confirmation on whether using a FIPS-validated OpenSSL is enough.
Describe alternatives you've considered
n/a
The text was updated successfully, but these errors were encountered: