infra: install OpenSSL 3.0.1 in FIPS mode #23
Conversation
|
Well, it worked locally but OpenSSL 3 tests are still running with FIPS mode off... |
|
Working! |
| @@ -12,8 +12,6 @@ jobs: | |||
| steps: | |||
| - name: Install build tools | |||
| run: sudo apt-get install -y build-essential | |||
| - name: Remove libssl-dev | |||
| run: sudo apt-get remove -y libssl-dev | |||
There was a problem hiding this comment.
Does this mean the tests depend on the ubuntu-provided libssl-dev being installed first, then installing over it with our own build of 3.0? Or are we using both (openssl from ubuntu, but FIPS provider from our own build)?
There was a problem hiding this comment.
I removed this because we don't need development headers anymore, which was why we were installing libssl-dev.
There was a problem hiding this comment.
I must be missing something... it looks to me like this PR is removing the removal of libssl-dev, so after this PR we'll actually be leaving it installed after install build-essential pulls it in.
There was a problem hiding this comment.
My bad. We were previously removing the system openssl headers because we needed to use our own, so we were removing the system openssl headers to avoid conflicts. Now we don't care if there are headers or not, so there is no point on removing them.
OpenSSL 3 revamped the FIPS mode. It is no longer provided by an external module but by a built-in provider, which turns to be easy to build and install.
Additionally, after #22 landed and removed the dependency on OpenSSL development headers, it is much easier to switch between OpenSSL versions.
These two facts together allow us to build, install and use OpenSSL 3 in FIPS mode with just some minor infra modifications.