[DOCS-16095] [SERVER] OpenSSL 3.0 FIPS Created: 04/May/23  Updated: 13/Nov/23  Resolved: 26/Jul/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 7.1.0-rc0, 7.0.0-rc1, 6.0.7, 5.0.23, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Ian Fogelman
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DOCS-16096 [SERVER][BACKPORT] OpenSSL 3.0 FIPS Closed
Documented
documents SERVER-75989 Add support for OpenSSL 3.0 FIPS Closed
Participants:
Days since reply: 39 weeks ago

 Description   

ORIGINAL SUMMARY: Investigate changes in SERVER-75989: Add support for OpenSSL 3.0 FIPS

Original Downstream Change Summary

MongoDB FIPS mode is not supported on MongoDB 6.0.x with OpenSSL 3. This ticket fixes that (when backported). This affects only Ubuntu 22.04, RHEL 9 and Amazon Linux 2023.

Description of Linked Ticket

MongoDB does not support OpenSSL 3.0 FIPS due to a breaking API change by OpenSSL in the 3.0 release.

As per the Open SSL documentation, https://www.openssl.org/docs/man3.0/man7/migration_guide.html -

Removed FIPS_mode() and FIPS_mode_set()
These functions are legacy APIs that are not 
applicable to the new provider model. 
Applications should instead use 
EVP_default_properties_is_fips_enabled(3) and 
EVP_default_properties_enable_fips(3)."

This OpenSSL FIPS check in the build system (https://github.com/mongodb/mongo/blob/04e2094cff720a2f75f92f9f95b53422524740c7/src/mongo/util/net/openssl_init.cpp#L149-L165) is conditional on a function that was removed in OpenSSL 3.0

This was not caught in our existing test cases because we have no test cases that assert that MongoDB OpenSSL FIPS support works on platforms that have OpenSSL FIPS module support.

We do have a test that ensures log lines match either positive or negative expected values though. The test does not know what log line is expected on which platform though.



 Comments   
Comment by Ashley Brown [ 10/May/23 ]

Please backport to 6.0.

Generated at Thu Feb 08 08:14:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.