Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing nodejs with fips via nvm doesn't work, fips mode not enabled #48776

Closed
agenaille opened this issue Jul 14, 2023 · 2 comments
Closed

Installing nodejs with fips via nvm doesn't work, fips mode not enabled #48776

agenaille opened this issue Jul 14, 2023 · 2 comments

Comments

@agenaille
Copy link

agenaille commented Jul 14, 2023
edited
Loading

Version

18.16.1

Platform

Linux machine.redacted.com 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Tue Dec 21 19:02:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

nvm install -s v18.16.1 --openssl-is-fips

node --enable-fips  -p 'crypto.getFips()'

Error:

node: OpenSSL error when trying to enable FIPS:
C01793902A7F0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../deps/openssl/openssl/crypto/dso/dso_dlfcn.c:118:filename(/home/theUser@redacted.com/.nvm/.cache/src/node-v18.16.1/files/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so): /home/theUser@redacted.com/.nvm/.cache/src/node-v18.16.1/files/out/$(BUILDTYPE)/obj.target/deps/openssl/lib/openssl-modules/fips.so: cannot open shared object file: No such file or directory

Above, note the existence of the $(BUILDTYPE) in the path. I think that should be Release, as the following file DOES exist:
(/home/theUser@redacted.com/.nvm/.cache/src/node-v18.16.1/files/out/Release/obj.target/deps/openssl/lib/openssl-modules/fips.so

How often does it reproduce? Is there a required condition?

Every time.

What is the expected behavior? Why is that the expected behavior?

I am expecting node --enable-fips -p 'crypto.getFips()' to output 1 and instead it throws an error.

What do you see instead?

Error is thrown on missing file

Additional information

No response
@richardlau
Copy link
Member

richardlau commented Jul 14, 2023
edited
Loading

IIRC this used to work when first added to Node.js f4bd91b#diff-b444d542a5859a68304f84ed3e5a6c81730671295236c26c7866eab5306c1d11 (i.e. BUILDTYPE was correctly substituted) but broke when upstreamed to gyp-next (slightly differently in nodejs/gyp-next#151) and resynced back to Node.js.

FWIW if you want to enable FIPS in Node.js you do not need to (re)compile Node.js from source but you will need the OpenSSL 3 FIPS provider. See https://nodejs.org/dist/latest-v20.x/docs/api/crypto.html#fips-mode (the same documentation applies to Node.js 18 and the documentation for Node.js 18 will be updated with #48694).

@agenaille
Copy link
Author

@richardlau thanks for the reply. The current linux distro we use embeds a FIPS compliant version of openssl 1.1.1 so I think we will go the route of upgrading to a distro that has openssl 3.x FIPS and then get NodeJS fips compliant following the new documentation. Thank you! I will close this.

@agenaille agenaille mentioned this issue Jul 18, 2023
Closed
@ShivamSarawagi ShivamSarawagi mentioned this issue May 20, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richardlau @agenaille