Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-75989

Add support for OpenSSL 3.0 FIPS

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.1.0-rc0, 7.0.0-rc1, 6.0.7, 5.0.23
    • Affects Version/s: None
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • v7.0, v6.0, v5.0
    • Security 2023-05-01, Security 2023-05-15

      MongoDB does not support OpenSSL 3.0 FIPS due to a breaking API change by OpenSSL in the 3.0 release.

      As per the Open SSL documentation, https://www.openssl.org/docs/man3.0/man7/migration_guide.html -

      Removed FIPS_mode() and FIPS_mode_set()
      These functions are legacy APIs that are not 
      applicable to the new provider model. 
      Applications should instead use 
      EVP_default_properties_is_fips_enabled(3) and 
      EVP_default_properties_enable_fips(3)."
      

      This OpenSSL FIPS check in the build system (https://github.com/mongodb/mongo/blob/04e2094cff720a2f75f92f9f95b53422524740c7/src/mongo/util/net/openssl_init.cpp#L149-L165) is conditional on a function that was removed in OpenSSL 3.0

      This was not caught in our existing test cases because we have no test cases that assert that MongoDB OpenSSL FIPS support works on platforms that have OpenSSL FIPS module support.

      We do have a test that ensures log lines match either positive or negative expected values though. The test does not know what log line is expected on which platform though.

            Assignee:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Reporter:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: