diff options
author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2021-04-14 12:19:54 +0300 |
---|---|---|
committer | Daniel Bevenius <daniel.bevenius@gmail.com> | 2021-10-11 07:28:08 +0300 |
commit | 66da32c045035cf2710a48773dc6f55f00e20c40 (patch) | |
tree | 5476a5263442f875b4117c2e57d795105e63a02c /BUILDING.md | |
parent | 49b7ec96a431a3e0ba0989d6b41db813aefe878a (diff) |
deps,test,src,doc,tools: update to OpenSSL 3.0
This pull request updates the OpenSSL version that is statically
linked with Node.js from OpenSSl 1.1.1 to quictls OpenSSL 3.0.0+quic.
This pull request will replace the OpenSSL version that is currently
in the deps directory and when performing a normal build
OpenSSL 3.0+quic will be statically linked to the Node.js executable.
We will still be able to dynamically link to OpenSSL 1.1.1 and we have
a CI job which dynamically links to OpenSSL 1.1.1 which is run for
every pull request to make sure that we maintain backward compatibility.
PR-URL: https://github.com/nodejs/node/pull/38512
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Diffstat (limited to 'BUILDING.md')
-rw-r--r-- | BUILDING.md | 47 |
1 files changed, 42 insertions, 5 deletions
diff --git a/BUILDING.md b/BUILDING.md index 80d286584fb..dc159c8b539 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -764,11 +764,48 @@ as `deps/icu` (You'll have: `deps/icu/source/...`) ## Building Node.js with FIPS-compliant OpenSSL -The current version of Node.js does not support FIPS when statically linking -(the default) with OpenSSL 1.1.1 but for dynamically linking it is possible -to enable FIPS using the configuration flag `--openssl-is-fips`. +The current version of Node.js supports FIPS when statically and +dynamically linking with OpenSSL 3.0.0 by using the configuration flag +`--openssl-is-fips`. -### Configuring and building quictls/openssl for FIPS +### FIPS support when statically linking OpenSSL + +FIPS can be supported by specifying the configuration flag `--openssl-is-fips`: +```console +$ ./configure --openssl-is-fips +$ make -j8 +``` + +The above command will build and install the FIPS module into the out directory. +This includes building fips.so, running the `installfips` command that generates +the FIPS configuration file (fipsmodule.cnf), copying and updating openssl.cnf +to include the correct path to fipsmodule.cnf and finally uncomment the fips +section. + +We can then run node specifying `--enable-fips`: +```console +$ ./node --enable-fips -p 'crypto.getFips()' +1 +``` +The above will use the Node.js default locations for OpenSSL 3.0: +```console +$ ./out/Release/openssl-cli version -m -d +OPENSSLDIR: "/nodejs/openssl/out/Release/obj.target/deps/openssl" +MODULESDIR: "/nodejs/openssl/out/Release/obj.target/deps/openssl/lib/openssl-modules" +``` +The OpenSSL configuration files will be found in `OPENSSLDIR` directory above: +```console +$ ls -w 1 out/Release/obj.target/deps/openssl/*.cnf +out/Release/obj.target/deps/openssl/fipsmodule.cnf +out/Release/obj.target/deps/openssl/openssl.cnf +``` +And the FIPS module will be located in the `MODULESDIR` directory: +```console +$ ls out/Release/obj.target/deps/openssl/lib/openssl-modules/ +fips.so +``` + +### FIPS support when dynamically linking OpenSSL For quictls/openssl 3.0 it is possible to enable FIPS when dynamically linking. If you want to build Node.js using openssl-3.0.0+quic, you can follow these @@ -811,7 +848,7 @@ find the `fipsmodule.cnf` file - let's add the following to the end of the **alter openssl.cnf** ```text -.include fipsmodule.cnf +.include /absolute/path/to/fipsmodule.cnf # List of providers to load [provider_sect] |