Details
Description
MongoDB does not support OpenSSL 3.0 FIPS due to a breaking API change by OpenSSL in the 3.0 release.
As per the Open SSL documentation, https://www.openssl.org/docs/man3.0/man7/migration_guide.html -
Removed FIPS_mode() and FIPS_mode_set()
|
These functions are legacy APIs that are not
|
applicable to the new provider model.
|
Applications should instead use
|
EVP_default_properties_is_fips_enabled(3) and
|
EVP_default_properties_enable_fips(3)."
|
This OpenSSL FIPS check in the build system (https://github.com/mongodb/mongo/blob/04e2094cff720a2f75f92f9f95b53422524740c7/src/mongo/util/net/openssl_init.cpp#L149-L165) is conditional on a function that was removed in OpenSSL 3.0
This was not caught in our existing test cases because we have no test cases that assert that MongoDB OpenSSL FIPS support works on platforms that have OpenSSL FIPS module support.
We do have a test that ensures log lines match either positive or negative expected values though. The test does not know what log line is expected on which platform though.
Attachments
Issue Links
- is documented by
-
DOCS-16095 [SERVER] OpenSSL 3.0 FIPS
-
- Closed
-