[SERVER-75989] Add support for OpenSSL 3.0 FIPS Created: 11/Apr/23  Updated: 14/Dec/23  Resolved: 04/May/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0, 7.0.0-rc1, 6.0.7, 5.0.23

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Documented
is documented by DOCS-16095 [SERVER] OpenSSL 3.0 FIPS Closed
Issue split
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0, v6.0, v5.0
Sprint: Security 2023-05-01, Security 2023-05-15
Participants:

 Description   

MongoDB does not support OpenSSL 3.0 FIPS due to a breaking API change by OpenSSL in the 3.0 release.

As per the Open SSL documentation, https://www.openssl.org/docs/man3.0/man7/migration_guide.html -

Removed FIPS_mode() and FIPS_mode_set()
These functions are legacy APIs that are not 
applicable to the new provider model. 
Applications should instead use 
EVP_default_properties_is_fips_enabled(3) and 
EVP_default_properties_enable_fips(3)."

This OpenSSL FIPS check in the build system (https://github.com/mongodb/mongo/blob/04e2094cff720a2f75f92f9f95b53422524740c7/src/mongo/util/net/openssl_init.cpp#L149-L165) is conditional on a function that was removed in OpenSSL 3.0

This was not caught in our existing test cases because we have no test cases that assert that MongoDB OpenSSL FIPS support works on platforms that have OpenSSL FIPS module support.

We do have a test that ensures log lines match either positive or negative expected values though. The test does not know what log line is expected on which platform though.



 Comments   
Comment by Githook User [ 01/Nov/23 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-75989 Add support for OpenSSL 3.0 FIPS

(cherry picked from commit 376eb991dcc36b8a6f0d8ed698693fca8918b4f3)
(cherry picked from commit f8d9519f2178be5f7c53ddcaf26f092b6fb5b580)
(cherry picked from commit c28de5bbf7bc478f4215ed1234ea910b8fc58277)
Branch: v5.0
https://github.com/mongodb/mongo/commit/1f1736938009721be9eb4613b077f2b537e35dcc

Comment by Githook User [ 09/May/23 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-75989 Add support for OpenSSL 3.0 FIPS

(cherry picked from commit 376eb991dcc36b8a6f0d8ed698693fca8918b4f3)
(cherry picked from commit f8d9519f2178be5f7c53ddcaf26f092b6fb5b580)
Branch: v6.0
https://github.com/mongodb/mongo/commit/c28de5bbf7bc478f4215ed1234ea910b8fc58277

Comment by Githook User [ 04/May/23 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-75989 Add support for OpenSSL 3.0 FIPS

(cherry picked from commit 376eb991dcc36b8a6f0d8ed698693fca8918b4f3)
Branch: v7.0
https://github.com/mongodb/mongo/commit/f8d9519f2178be5f7c53ddcaf26f092b6fb5b580

Comment by Githook User [ 01/May/23 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-75989 Add support for OpenSSL 3.0 FIPS
Branch: master
https://github.com/mongodb/mongo/commit/376eb991dcc36b8a6f0d8ed698693fca8918b4f3

Generated at Thu Feb 08 06:31:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.