Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: Add OpenSSL FIPS provider #186

Merged
merged 1 commit into from
Mar 4, 2024
Merged

feature: Add OpenSSL FIPS provider #186

merged 1 commit into from
Mar 4, 2024

Conversation

claytonparnell
Copy link
Contributor

Issue #, if available: #161

Description of changes:
Adding OpenSSL FIPS provider. We will install OpenSSL using conda-forge to ensure compatibility with all packages, however the latest FIPS-verified provider is from OpenSSL 3.0.8. Followed these instructions for installing FIPS-verified provider on top of existing OpenSSL installation, which involves fetching source code for both installed and verified versions, testing the verified providers against the installed version, then installing just the FIPS provider from 3.0.8.

For testing, build new v0 and v1 image and ran following commands on cpu and gpu for both, with same outputs all around. This tests listing providers before and after enabling FIPS, and then trying a non-FIPS algorithm (md5) to make sure it works before enabling, and doesn't work after:

(base) sagemaker-user@37b559f52280:~$ openssl list -providers
Providers:
  default
    name: OpenSSL Default Provider
    version: 3.2.1
    status: active
(base) sagemaker-user@37b559f52280:~$ openssl md5 .profile
MD5(.profile)= f4e81ade7d6f9fb342541152d08e7a97
(base) sagemaker-user@37b559f52280:~$ export OPENSSL_CONF=/opt/conda/ssl/openssl-fips.cnf
(base) sagemaker-user@37b559f52280:~$ openssl list -providers
Providers:
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.8
    status: active
(base) sagemaker-user@37b559f52280:~$ openssl md5 .profile
Error setting digest
40D758BC377F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (MD5 : 100), Properties ()
40D758BC377F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:272:
(base) sagemaker-user@37b559f52280:~$ openssl sha1 .profile
SHA1(.profile)= 2b9ee6d446f8f9ffccaab42b6df5649f749a9a07

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@claytonparnell claytonparnell added this to the v1.6.0 release milestone Feb 22, 2024
@claytonparnell claytonparnell merged commit 75def7c into aws:main Mar 4, 2024
nikhilumeshsargur pushed a commit to nikhilumeshsargur/sagemaker-distribution that referenced this pull request Mar 29, 2024
@claytonparnell @nikhilumeshsargur
feature: Add OpenSSL FIPS provider (aws#186)
cdf8b7e
nikhilumeshsargur pushed a commit to nikhilumeshsargur/sagemaker-distribution that referenced this pull request Apr 3, 2024
@claytonparnell @nikhilumeshsargur
feature: Add OpenSSL FIPS provider (aws#186)
a686e7f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rubanh rubanh rubanh approved these changes

@just4brown just4brown just4brown approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.6.0 release
Development

Successfully merging this pull request may close these issues.
3 participants
@claytonparnell @just4brown @rubanh