[SERVER-75989] Add support for OpenSSL 3.0 FIPS Created: 11/Apr/23 Updated: 14/Dec/23 Resolved: 04/May/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 7.1.0-rc0, 7.0.0-rc1, 6.0.7, 5.0.23 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Mark Benvenuto | Assignee: | Mark Benvenuto |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Backport Requested: |
v7.0, v6.0, v5.0
|
||||||||||||||||||||
| Sprint: | Security 2023-05-01, Security 2023-05-15 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
MongoDB does not support OpenSSL 3.0 FIPS due to a breaking API change by OpenSSL in the 3.0 release. As per the Open SSL documentation, https://www.openssl.org/docs/man3.0/man7/migration_guide.html -
This OpenSSL FIPS check in the build system (https://github.com/mongodb/mongo/blob/04e2094cff720a2f75f92f9f95b53422524740c7/src/mongo/util/net/openssl_init.cpp#L149-L165) is conditional on a function that was removed in OpenSSL 3.0 This was not caught in our existing test cases because we have no test cases that assert that MongoDB OpenSSL FIPS support works on platforms that have OpenSSL FIPS module support. We do have a test that ensures log lines match either positive or negative expected values though. The test does not know what log line is expected on which platform though. |
| Comments |
| Comment by Githook User [ 01/Nov/23 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: (cherry picked from commit 376eb991dcc36b8a6f0d8ed698693fca8918b4f3) |
| Comment by Githook User [ 09/May/23 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: (cherry picked from commit 376eb991dcc36b8a6f0d8ed698693fca8918b4f3) |
| Comment by Githook User [ 04/May/23 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: (cherry picked from commit 376eb991dcc36b8a6f0d8ed698693fca8918b4f3) |
| Comment by Githook User [ 01/May/23 ] |
|
Author: {'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}Message: |