Unable to enable FIPS in docker

[SrikanthMedisetti]

Hello All,
I'm trying to build a docker image that has openssl with FIPS enabled.

here is what I have for the dockerfile (base image is alpine 3.19)

RUN wget -q -O openssl-openssl-3.0.13-quic1.zip https://github.com/quictls/openssl/archive/refs/tags/openssl-3.0.13-quic1.zip \
    && unzip -q openssl-openssl-3.0.13-quic1.zip \
    && cd openssl-openssl-3.0.13-quic1 \
    && ./config \
      --prefix=$SSLPATH \
      --openssldir=$SSLPATH/ssl \
      shared \
      enable-fips \
      linux-x86_64 \
    && make -j8 \
    && make install \
    #&& make install_ssldirs \
    && make install_fips
    #&& openssl fipsinstall \

ENV OPENSSL_CONF=$SSLPATH/ssl/openssl.cnf   NODEJS_CONF=$SSLPATH/ssl/openssl.cnf  LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SSLPATH/lib64 \
    LIBRARY_PATH=$LIBRARY_PATH:$SSLPATH/lib64 \
    OPENSSL_MODULES=$SSLPATH/lib64/ossl-modules \
    PATH=$SSLPATH/bin:$PATH 

RUN sed -i 's/# .include fipsmodule.cnf/.include \/etc\/in4ssl\/ssl\/fipsmodule.cnf/' $SSLPATH/ssl/openssl.cnf \
    && sed -i 's/# fips = fips_sect/fips = fips_sect/' $SSLPATH/ssl/openssl.cnf \
    && sed -i 's/# activate = 1/activate = 1/' $SSLPATH/ssl/openssl.cnf \
    #&& sed -i 's/openssl_conf = openssl_init/nodejs_conf = openssl_init/' $SSLPATH/ssl/openssl.cnf \
    && cat $SSLPATH/ssl/openssl.cnf \
    && cd /root \
    && rm -Rf openssl-openssl-3.0.13-quic1 \
    && rm openssl-openssl-3.0.13-quic1.zip \
    && export OPENSSL_CONF=$SSLPATH/ssl/openssl.cnf \
    && export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SSLPATH/lib64 \
    && export LIBRARY_PATH=$LIBRARY_PATH:$SSLPATH/lib64 \
    && export OPENSSL_MODULES=$SSLPATH/lib64/ossl-modules \
    && export PATH=$SSLPATH/bin:$PATH \
    && openssl version -a \
    && sed -i 's/activate = 1/#activate = 1/' /etc/in4ssl/ssl/fipsmodule.cnf \
    && cat /etc/in4ssl/ssl/fipsmodule.cnf \
    && openssl list -providers -provider fips -provider base 

RUN strings $SSLPATH/lib64/libcrypto.so | grep -i fips && openssl version -fips && openssl version -a

When the last command runs on the libcrypto.so file, I see the following (snippet)

#8 0.093 EVP_default_properties_is_fips_enabled
#8 0.130 EVP_default_properties_enable_fips
#8 0.130 crypto/bn/bn_rsa_fips186_4.c
#8 0.130 FIPS routines
#8 0.130 fips186_2
#8 0.130 fips186_4
#8 0.130 fips_mode
#8 0.130 -fips
#8 0.130 provider=base,fips=yes
#8 0.130 provider=default,fips=yes
#8 0.130 fips module conditional error
#8 0.130 fips module in error state
#8 0.130 provider=base,fips=yes,input=der,structure=PrivateKeyInfo
#8 0.130 provider=base,fips=yes,input=der,structure=SubjectPublicKeyInfo
#8 0.130 provider=base,fips=yes,input=der,structure=type-specific
#8 0.130 provider=base,fips=yes,input=der,structure=dh

Could you please let me know what might have happend that I see those errors in that file.
Thank you in advance!

[paulidale]

[ I edited the request for improved readability ]

You should be looking for fips.so which is the FIPS provider. libcrypto doesn't contain any of the FIPS code.

What does openssl list -providers -provider fips -provider base print out? It should give something like:

Providers:
  base
    name: OpenSSL Base Provider
    version: 3.4.0
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.4.0
    status: active

Finally, I'll note that 3.0.13 has not been FIPS validated. Using the FIPS provider from this version is not FIPS compliant. The FIPS README has details for using a validated FIPS provider with a different version of OpenSSL. The security policy lists approved versions (currently only 3.0.8 and 3.0.9). Moreover, you must read the security policy and strictly adhere to all conditions it imposes. This includes installation, where you deviate from the instructions. Only after doing all this can you claim compliance.

And yes, some of the conditions are silly.

[SrikanthMedisetti]

Thank you @paulidale for the quick response.
Yes, I realized it is not fips compliant. I will use Openssl 3.2 which has quic support and will try to build it again.

Again, thank you for your time!

[paulidale]

The 3.2 FIPS provider also isn't FIPS compliant. You'll need the 3.0.9 FIPS provider and OpenSSL 3.2.

[SrikanthMedisetti]

Yes, that is what I mean. 3.2 with 3.0.9 FIPS compliant version of openssl.