-
-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for FIPS-Validated netty-tcnative release #799
Comments
I have no idea what this would entail at all, so if it's not too much work maybe do a PR and we can have a look ? |
#821) ### Motivation: As discussed in [issue](#799), considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution. ### Setup Configurations: Tools: cmake 3.20, ninja build 1.10.0, clang-12, golang, java 11, maven 3.6.3, libapr1, automake, autoconf, libtool, libunwind-dev, pkg-config Fips validated BoringSSL commit used is 853ca1ea1168dff08011e5d42d94609cc0ca2e27 ### Build Steps: - Run Maven ``` mvn clean install -f boringssl-static/pom.xml -Pfips-boringssl-static ``` - While build is running you should see in logs: ``` ... Boringssl is fips compliant ... ``` - After build steps are completed you should see Jars eg. ``` .m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final.jar .m2/repository/io/netty/netty-tcnative-boringssl-static/2.0.61.Final/netty-tcnative-boringssl-static-2.0.61.Final-linux-x86_64.jar ``` ### Modifications: - Added pom profile `fips-boringssl-static` for fips compliant ### Tested on: Tested on linux AMD and ARM machine, which are supported as per FIPS security document attached in reference. Output: https://drive.google.com/file/d/1eAFUIrHLbB7xiTpxHPs__N3Ha_Ltli76/view?usp=sharing ### Reference: Guidance on how to build FIPS validated modules: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf --------- Co-authored-by: Norman Maurer <[email protected]>
@normanmaurer Is there anyway we can help to include #821 in build process? |
@normanmaurer Gentle nudge for above request. TIA |
In FIPS topic. I think to make FIPS mode to work, fipsModeSet need to be set (1) (https://javadoc.io/doc/io.netty/netty-tcnative/2.0.35.Final/io/netty/internal/tcnative/SSL.html#fipsModeSet-int-). But this seems to not be configurable option, so if someone want to use FIPS mode must set it in code. Am I right? If so, can we make that option user configurable when lib is initiated? |
Currently, users must fork the repository and rebuild with the FIPS-validated boringSSL tar to achieve FIPS compliance.
Considering the growing demand for FIPS compliance in security-sensitive environments, an official netty-tcnative release supporting FIPS validation would greatly benefit the open-source community. This would simplify integration and provide a reliable, community-supported solution.
I'm willing to contribute by raising a pull request (PR) to help implement the FIPS-validated release.
The text was updated successfully, but these errors were encountered: