Meshcentral: Building meshagent with local OpenSSL libraries

Created on 16 Dec 2020  路  23Comments  路  Source: Ylianst/MeshCentral

@krayon007 Sorry Bryan, I think this one is firmly in your court sir!

So, further to #2079 I think I'm building the agent incorrectly. When I check the -info on the agent, it states it's using OpenSSL 1.1.1g whereas it should be using the hosts 1.0.2g-fips.

When I'm building Node8 with FIPS, I do install the FIPS libssl dev package sudo apt install -y build-essential libssl-dev=1.0.2g-1ubuntu4.fips.4.6.3 clang.

~/MeshAgent$ openssl version
OpenSSL 1.0.2g-fips  1 Mar 2016

~/MeshAgent$ ./meshagent_x86-64 -info
Compiled on: 17:15:21, Jul 30 2020
   Commit Hash: f2eb015b2aa8f98ddc47e7b49aada6331818abea
   Commit Date: 2020-Jul-29 13:25:40-0700
Using OpenSSL 1.1.1g  21 Apr 2020

~/MeshAgent$ cd /home/mc/meshcentral/node_modules/meshcentral/agents

~/mc/meshcentral/node_modules/meshcentral/agents$ chmod 775 meshagent_x86-64

~/mc/meshcentral/node_modules/meshcentral/agents$ ./meshagent_x86-64 -info
Compiled on: 14:06:10, Dec 10 2020
   Commit Hash: cd6353ac289e8e480041e58229c9eb9f74edf939
   Commit Date: 2020-Dec-10 13:54:08-0800
Using OpenSSL 1.1.1i  8 Dec 2020

~/mc/meshcentral/node_modules/meshcentral/agents$ chmod 664 meshagent_x86-64

Note: I have updated the server version to 0.7.25 and I'm pretty sure when I do that, new agents are downloaded and placed into the /agents folder - so that would explain the OpenSSL 1.1.1i version at the end. However as you can see when I run the -info in my MeshAgent build folder I get version 1.1.1g and not the expected 1.0.2g-fips that my host OpenSSL is using.

Here's the script that I use to build


BuildScript

#!/usr/bin/env bash
mc2Folder=/home/mc/meshcentral

cd ~
wget https://www.nasm.us/pub/nasm/releasebuilds/2.14.02/nasm-2.14.02.tar.gz -O nasm-2.14.02.tar.gz
tar -xvzf nasm-2.14.02.tar.gz
cd nasm-2.14.02
./configure
make -j8
sudo make install

cd ~
wget https://sourceforge.net/projects/libjpeg-turbo/files/1.4.2/libjpeg-turbo-1.4.2.tar.gz/download -O libjpeg-turbo-1.4.2.tar.gz
tar -xvzf libjpeg-turbo-1.4.2.tar.gz
cd libjpeg-turbo-1.4.2
./configure
make -j8

sudo apt-get install -y libx11-dev libxtst-dev libxext-dev libjpeg62-dev

cd ~
git clone https://github.com/Ylianst/MeshAgent.git
cd MeshAgent
make linux ARCHID=6
sudo cp meshagent_x86-64 ${mc2Folder}/node_modules/meshcentral/agents/

To answer questions posed on #2079:

Were you able to compile the .a files? Normally this is the command we use to configure OpenSSL when compiling, for linux on 64bit x86:
./Configure linux-x86_64 no-weak-ssl-ciphers no-srp no-psk no-comp no-zlib no-zl...

When you state "how [you] configure OpenSSL when compiling", are you referring to when you're compiling the MeshAgent? (if not and you're referring to compiling OpenSSL, I'm using pre-compiled Canonical FIPS compliant libraries, therefore I'm not permitted to recompile). Or maybe I've got the wrong end of the stick and should be running your "./Configure..." line before the make linux ARCHID=6 line?

question
Source
picture D4V3M0NK

Most helpful comment

Just checking in @krayon007 - anything I can assist with?

OK, I fixed it.. I was compiling against the wrong includes when dynamically linking, I fixed it so when dynamically linking it will use /usr/include/openssl

But anyways, I simplified the makefile, so you can just do the following to build and dynamically link with FIPS support:
make linux ARCHID=6 FIPS=1

The only issue, is that openssl/1.02g-fips does not support TLSv1.2 or TLSv1.3, which is required to connect to the mesh server by default... But you can always modify the server if need be... Here's the output when I ran the agent on the ova you gave me, you can see it reports fips support. I made it so when you compile with the FIPS=1 , it will attempt to enter fips mode when the agent starts. If it fails, it will critical exit.

fips

picture krayon007 on 22 Jan 2021
👍2

All 23 comments

OK, I see what's going on... I was referring to compiling static libraries for OpenSSL... You are wanting to dynamically link openssl using whatever OpenSSL library is installed on the platform? I will add a compile switch to the makefile to support that when compiling the agent...

krayon007 picture krayon007 on 16 Dec 2020

You sir, are a gent and a scholar ... :beer:
That's exactly what I'm after...

D4V3M0NK picture D4V3M0NK on 16 Dec 2020

Ok, I just pushed a new makefile...

If you add the switch DYNAMICTLS=1 it will link the shared library installed on your platform instead of the static libraries. So for example:

make linux ARCHID=6 DYNAMICTLS=1

You have to install the dev libraries first, so in my case, I did: apt-get install libssl-dev and tested against that. This installed a 1.1.1 branch, so if you have problems with the 1.0.2 branch let me know.

krayon007 picture krayon007 on 16 Dec 2020

I _really_ appreciate this Bryan - I'll let you know how I get on

D4V3M0NK picture D4V3M0NK on 16 Dec 2020

Ok @krayon007 , so here's the first stab at this. Initially, wanted to check that I had the libssl-dev package installed, which looks good (as well as the version):

$ dpkg-query -l | grep libssl-dev
ii  libssl-dev:amd64                    1.0.2g-1ubuntu4.fips.4.17.1                     amd64        Secure Sockets Layer toolkit - development files

So used make linux ARCHID=6 DYNMAICTLS=1 resulted in a number of undefined references.


Compile1 snippet

...
gcc -DJPEGMAXBUF=0 -DMESH_AGENTID=6 -std=gnu99 -g -Wall -D_POSIX -DMICROSTACK_PROXY  -DILibChain_WATCHDOG_TIMEOUT=6000000 -fno-strict-aliasing -I. -Iopenssl/include -Imicrostack -Imicroscript -Imeshcore -Imeshconsole -DDUK_USE_DEBUGGER_SUPPORT -DDUK_USE_INTERRUPT_COUNTER -DDUK_USE_DEBUGGER_INSPECT -DDUK_USE_DEBUGGER_PAUSE_UNCAUGHT -D_LINKVM -DMICROSTACK_TLS_DETECT -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fstack-protector -fno-strict-aliasing   -c -o meshcore/agentcore.o meshcore/agentcore.c
gcc -DJPEGMAXBUF=0 -DMESH_AGENTID=6 -std=gnu99 -g -Wall -D_POSIX -DMICROSTACK_PROXY  -DILibChain_WATCHDOG_TIMEOUT=6000000 -fno-strict-aliasing -I. -Iopenssl/include -Imicrostack -Imicroscript -Imeshcore -Imeshconsole -DDUK_USE_DEBUGGER_SUPPORT -DDUK_USE_INTERRUPT_COUNTER -DDUK_USE_DEBUGGER_INSPECT -DDUK_USE_DEBUGGER_PAUSE_UNCAUGHT -D_LINKVM -DMICROSTACK_TLS_DETECT -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fstack-protector -fno-strict-aliasing   -c -o meshconsole/main.o meshconsole/main.c
gcc -DJPEGMAXBUF=0 -DMESH_AGENTID=6 -std=gnu99 -g -Wall -D_POSIX -DMICROSTACK_PROXY  -DILibChain_WATCHDOG_TIMEOUT=6000000 -fno-strict-aliasing -I. -Iopenssl/include -Imicrostack -Imicroscript -Imeshcore -Imeshconsole -DDUK_USE_DEBUGGER_SUPPORT -DDUK_USE_INTERRUPT_COUNTER -DDUK_USE_DEBUGGER_INSPECT -DDUK_USE_DEBUGGER_PAUSE_UNCAUGHT -D_LINKVM -DMICROSTACK_TLS_DETECT -O2 -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -fstack-protector -fno-strict-aliasing   -c -o meshcore/meshinfo.o meshcore/meshinfo.c
gcc microstack/ILibAsyncServerSocket.o microstack/ILibAsyncSocket.o microstack/ILibAsyncUDPSocket.o microstack/ILibParsers.o microstack/ILibMulticastSocket.o microstack/ILibRemoteLogging.o microstack/ILibWebClient.o microstack/ILibWebRTC.o microstack/ILibWebServer.o microstack/ILibCrypto.o microstack/ILibWrapperWebRTC.o microstack/ILibSimpleDataStore.o microstack/ILibProcessPipe.o microstack/ILibIPAddressMonitor.o microscript/duktape.o microscript/duk_module_duktape.o microscript/ILibDuktape_DuplexStream.o microscript/ILibDuktape_Helpers.o microscript/ILibDuktape_net.o microscript/ILibDuktape_ReadableStream.o microscript/ILibDuktape_WritableStream.o microscript/ILibDuktapeModSearch.o microscript/ILibDuktape_WebRTC.o microscript/ILibDuktape_SimpleDataStore.o microscript/ILibDuktape_GenericMarshal.o microscript/ILibDuktape_fs.o microscript/ILibDuktape_SHA256.o microscript/ILibduktape_EventEmitter.o microscript/ILibDuktape_EncryptionStream.o microscript/ILibDuktape_Polyfills.o microscript/ILibDuktape_Dgram.o microscript/ILibDuktape_ScriptContainer.o microscript/ILibDuktape_MemoryStream.o microscript/ILibDuktape_NetworkMonitor.o microscript/ILibDuktape_ChildProcess.o microscript/ILibDuktape_HttpStream.o microscript/ILibDuktape_Debugger.o microscript/ILibDuktape_CompressedStream.o meshcore/zlib/adler32.o meshcore/zlib/deflate.o meshcore/zlib/inffast.o meshcore/zlib/inflate.o meshcore/zlib/inftrees.o meshcore/zlib/trees.o meshcore/zlib/zutil.o meshcore/KVM/Linux/linux_kvm.o meshcore/KVM/Linux/linux_events.o meshcore/KVM/Linux/linux_tile.o meshcore/KVM/Linux/linux_compression.o meshcore/agentcore.o meshconsole/main.o meshcore/meshinfo.o -l:lib-jpeg-turbo/linux/x86-64/libturbojpeg.a -L. -lpthread -ldl -lutil -lm -no-pie  -lssl -lcrypto -lrt -z noexecstack -z relro -z now -o meshagent_x86-64
microstack/ILibWebClient.o: In function `ILibWebClient_Https_AuthenticateServer':
/home/ubuntu/MeshAgent/microstack/ILibWebClient.c:3513: undefined reference to `X509_STORE_CTX_get0_chain'
microstack/ILibWebClient.o: In function `ILibWebClient_EnableHTTPS':
/home/ubuntu/MeshAgent/microstack/ILibWebClient.c:3538: undefined reference to `TLS_client_method'
/home/ubuntu/MeshAgent/microstack/ILibWebClient.c:3545: undefined reference to `SSL_CTX_set_options'
microstack/ILibWebRTC.o: In function `ILibStun_AddMessageIntegrityAttr':
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:1404: undefined reference to `HMAC_CTX_new'
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:1408: undefined reference to `HMAC_CTX_free'
microstack/ILibWebRTC.o: In function `ILibTURN_CalculateMessageIntegrity':
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:6670: undefined reference to `HMAC_CTX_new'
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:6674: undefined reference to `HMAC_CTX_free'
microstack/ILibWebRTC.o: In function `ILibStun_ProcessStunPacket':
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:2032: undefined reference to `HMAC_CTX_new'
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:2036: undefined reference to `HMAC_CTX_free'
microstack/ILibWebRTC.o: In function `ILibStun_SendDtls':
/home/ubuntu/MeshAgent/microstack/ILibWebRTC.c:3054: undefined reference to `SSL_get_state'
microstack/ILibWebServer.o: In function `ILibWebServer_Session_Verify':
/home/ubuntu/MeshAgent/microstack/ILibWebServer.c:963: undefined reference to `X509_STORE_CTX_get0_chain'
microstack/ILibWebServer.o: In function `ILibWebServer_EnableHTTPS':
/home/ubuntu/MeshAgent/microstack/ILibWebServer.c:990: undefined reference to `TLS_server_method'
/home/ubuntu/MeshAgent/microstack/ILibWebServer.c:997: undefined reference to `SSL_CTX_set_options'
microstack/ILibCrypto.o: In function `util_openssl_init':
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:457: undefined reference to `OPENSSL_init_ssl'
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:458: undefined reference to `OPENSSL_init_ssl'
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:459: undefined reference to `OPENSSL_init_crypto'
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:461: undefined reference to `OPENSSL_init_crypto'
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:462: undefined reference to `OPENSSL_init_crypto'
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:463: undefined reference to `OPENSSL_init_crypto'
microstack/ILibCrypto.o: In function `sk_PKCS7_SIGNER_INFO_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/pkcs7.h:49: undefined reference to `OPENSSL_sk_value'
/home/ubuntu/MeshAgent/openssl/include/openssl/pkcs7.h:49: undefined reference to `OPENSSL_sk_value'
microstack/ILibCrypto.o: In function `sk_PKCS7_SIGNER_INFO_num':
/home/ubuntu/MeshAgent/openssl/include/openssl/pkcs7.h:49: undefined reference to `OPENSSL_sk_num'
microstack/ILibCrypto.o: In function `sk_X509_ALGOR_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/asn1.h:119: undefined reference to `OPENSSL_sk_value'
microstack/ILibCrypto.o: In function `sk_X509_ALGOR_num':
/home/ubuntu/MeshAgent/openssl/include/openssl/asn1.h:119: undefined reference to `OPENSSL_sk_num'
microstack/ILibCrypto.o: In function `sk_X509_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_value'
microstack/ILibCrypto.o: In function `sk_X509_num':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_num'
microstack/ILibCrypto.o: In function `util_mkCert':
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:724: undefined reference to `X509_getm_notBefore'
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:725: undefined reference to `X509_getm_notAfter'
microstack/ILibCrypto.o: In function `sk_X509_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_value'
microstack/ILibCrypto.o: In function `sk_X509_free':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_free'
microstack/ILibCrypto.o: In function `sk_X509_new_null':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_new_null'
microstack/ILibCrypto.o: In function `sk_X509_push':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_push'
microstack/ILibCrypto.o: In function `sk_X509_free':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_free'
microstack/ILibCrypto.o: In function `util_openssl_uninit':
/home/ubuntu/MeshAgent/microstack/ILibCrypto.c:506: undefined reference to `OPENSSL_cleanup'
microscript/ILibDuktape_net.o: In function `ILibDuktape_TLS_createSecureContext':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2384: undefined reference to `TLS_method'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2385: undefined reference to `SSL_CTX_set_options'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2399: undefined reference to `TLS_method'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2400: undefined reference to `SSL_CTX_set_options'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2429: undefined reference to `TLS_method'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2430: undefined reference to `SSL_CTX_set_options'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2414: undefined reference to `TLS_method'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2415: undefined reference to `SSL_CTX_set_options'
microscript/ILibDuktape_net.o: In function `ILibDuktape_TLS_verify':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2028: undefined reference to `X509_STORE_CTX_get0_chain'
microscript/ILibDuktape_net.o: In function `sk_X509_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_value'
microscript/ILibDuktape_net.o: In function `sk_X509_num':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_num'
microscript/ILibDuktape_net.o: In function `ILibDuktape_TLS_server_verify':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_net.c:2056: undefined reference to `X509_STORE_CTX_get0_chain'
microscript/ILibDuktape_net.o: In function `sk_X509_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_value'
microscript/ILibDuktape_net.o: In function `sk_X509_num':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_num'
microscript/ILibDuktape_SHA256.o: In function `ILibDuktape_SHA256_SIGNER_Finalizer':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_SHA256.c:150: undefined reference to `EVP_MD_CTX_free'
microscript/ILibDuktape_SHA256.o: In function `ILibDuktape_SHA256_SIGNER_Create':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_SHA256.c:254: undefined reference to `EVP_MD_CTX_new'
microscript/ILibDuktape_SHA256.o: In function `ILibDuktape_VERIFIER_Create':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_SHA256.c:331: undefined reference to `EVP_MD_CTX_new'
/home/ubuntu/MeshAgent/microscript/ILibDuktape_SHA256.c:339: undefined reference to `X509_get0_pubkey'
microscript/ILibDuktape_SHA256.o: In function `ILibDuktape_RSA_Verify':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_SHA256.c:391: undefined reference to `X509_get0_pubkey'
microscript/ILibDuktape_Polyfills.o: In function `sk_X509_value':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_value'
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_value'
microscript/ILibDuktape_Polyfills.o: In function `sk_X509_free':
/home/ubuntu/MeshAgent/openssl/include/openssl/x509.h:99: undefined reference to `OPENSSL_sk_free'
microscript/ILibDuktape_Polyfills.o: In function `ILibDuktape_bignum_fromBuffer':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_Polyfills.c:2149: undefined reference to `BN_lebin2bn'
microscript/ILibDuktape_ScriptContainer.o: In function `ILibDuktape_ScriptContainer_Process_Init':
/home/ubuntu/MeshAgent/microscript/ILibDuktape_ScriptContainer.c:1217: undefined reference to `OpenSSL_version'
meshconsole/main.o: In function `main':
/home/ubuntu/MeshAgent/meshconsole/main.c:241: undefined reference to `OpenSSL_version'
collect2: error: ld returned 1 exit status
makefile:497: recipe for target 'meshagent_x86-64' failed
make[1]: *** [meshagent_x86-64] Error 1
make[1]: Leaving directory '/home/ubuntu/MeshAgent'
makefile:562: recipe for target 'linux' failed
make: *** [linux] Error 2

Apologies Bryan, my ineptitude at not being a C programmer is going to show profoundly so I'm not going to be much help here, other than responding back with results ... In the hope that this is somewhat useful, my setup:


Versions of gcc, clang and make

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 5.4.0-6ubuntu1~16.04.12' --with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-5 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) 


clang version 3.8.0-2ubuntu4 (tags/RELEASE_380/final)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/6.0.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/5.4.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/6.0.0
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.0
Candidate multilib: .;@m64
Selected multilib: .;@m64


GNU Make 4.1
Built for x86_64-pc-linux-gnu
Copyright (C) 1988-2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

D4V3M0NK picture D4V3M0NK on 17 Dec 2020

Over the weekend I'll see if I can install the fips version and see if I can figure this out.

krayon007 picture krayon007 on 17 Dec 2020

Maybe this is know already, the OpenSSL FIPS module is out of support. The MeshAgent uses OpenSSL 1.1.1 and so, not sure if it will compile using OpenSSL 1.0.2 without making some changes to the code. Even if it does, OpenSSL 1.0.2 itself is out of support and so, not recommend for use. For example, this vulnerability is not fixed in 1.0.2. It seems like a FIPS module will be available with OpenSSL 3.0, so that is good news for the future. Let us know if this is already known and accounted for.

Ylianst picture Ylianst on 17 Dec 2020

@krayon007 - Ubuntu has FIPS compliant modules which are available though an Ubuntu Advantage subscription (Canonical went through FIPS compliancy for 16, 18 and 20 is underway). I can make either an OVF / VMDK or AWS instance available to you if required if it helps?

@Ylianst I totally understand - unfortunately, v1.0.2 is the only version that supports FIPS when building Node, which is why I'm constrained to using it (believe me, I'd rather not!) The CVEs attached to it are an assigned risk for this particular customer. I'm keen to see when v3.0 is available but I've been working on this particular project for over a year now and I'm not going to hold out much hope for that version to be with us any time soon. Canonical's OpenSSL module is supported, although there's not too much you can do with it - you're not permitted to change the source or build code.

D4V3M0NK picture D4V3M0NK on 17 Dec 2020
👍1

Ok, thanks! A vmdk would certainly speed things up on my side as I could skip finding/building fips, and just go straight to looking at the makefile and/or building the agent.

krayon007 picture krayon007 on 17 Dec 2020

Ok, I think a vmdk would would make it simpler, as it looks like if I compile my own FIPS openssl, it does not generate a shared library, it generates a fips canister (.o file), which is probably different than what you are using?

krayon007 picture krayon007 on 18 Dec 2020

I've been playing with getting you something usable most of the day - I'm hoping that my last iteration works - more when I have it

D4V3M0NK picture D4V3M0NK on 18 Dec 2020

Having more issues with this @krayon007 ... everything seems to work just fine until I import it into VMware Workstation, the guest OS boots up in read only mode. So, running through the motions (again): will reach out when I have a working version that I can make available to you.

D4V3M0NK picture D4V3M0NK on 18 Dec 2020
👍1

@krayon007 as per my email, use the "mc2" user.

D4V3M0NK picture D4V3M0NK on 18 Dec 2020

@krayon007 as per my email, use the "mc2" user.

Thanks! I successfully downloaded your ova file. This should really help with trying to get the Agent compiled for FIPS.

krayon007 picture krayon007 on 18 Dec 2020

@krayon007 I also wondered if it would be worthwhile making an OVA that had NodeJS installed upon it (and therefore running with the FIPS OpenSSL libraries), with the scripts that shows how I did that? Help or hindrance?

D4V3M0NK picture D4V3M0NK on 22 Dec 2020

@krayon007 I also wondered if it would be worthwhile making an OVA that had NodeJS installed upon it (and therefore running with the FIPS OpenSSL libraries), with the scripts that shows how I did that? Help or hindrance?

That could be useful , particularly for server side issues we may encounter. I'm out of town at the moment, so I may not be able to download it until Wednesday or so.

krayon007 picture krayon007 on 22 Dec 2020

@krayon007 I also wondered if it would be worthwhile making an OVA that had NodeJS installed upon it (and therefore running with the FIPS OpenSSL libraries), with the scripts that shows how I did that? Help or hindrance?

Thanks, I got the new ova file downloaded. I'll take a look at it over the holidays.

krayon007 picture krayon007 on 23 Dec 2020

Just checking in @krayon007 - anything I can assist with?

D4V3M0NK picture D4V3M0NK on 14 Jan 2021

Just checking in @krayon007 - anything I can assist with?

Sorry, I haven't gotten around to it yet, I had a few high priority interrupts...

krayon007 picture krayon007 on 15 Jan 2021

Just checking in @krayon007 - anything I can assist with?

OK, I fixed it.. I was compiling against the wrong includes when dynamically linking, I fixed it so when dynamically linking it will use /usr/include/openssl

But anyways, I simplified the makefile, so you can just do the following to build and dynamically link with FIPS support:
make linux ARCHID=6 FIPS=1

The only issue, is that openssl/1.02g-fips does not support TLSv1.2 or TLSv1.3, which is required to connect to the mesh server by default... But you can always modify the server if need be... Here's the output when I ran the agent on the ova you gave me, you can see it reports fips support. I made it so when you compile with the FIPS=1 , it will attempt to enter fips mode when the agent starts. If it fails, it will critical exit.

fips

krayon007 picture krayon007 on 22 Jan 2021
👍2

Once again, the MC2 team comes through in spades. @krayon007 I can't thank you enough - it's going to be a couple of days before I can try this out and I will certainly let you know how I get on. However, one thought: you state that you're using /usr/include/openssl - and I'm sure that works perfectly in Ubuntu, but for the sake of potentially other OSs, would it make sense to use something like which openssl and then take the response from that? (Apologies, I'm not sure how you would actually do this in code, but I'm just conscious that the location of openssl could change, potentially between versions of an OS as well as the OS itself). Just a thought sir.

D4V3M0NK picture D4V3M0NK on 26 Jan 2021

Since it's a makefile I think the easiest way is if I add an optional build switch, so that you can specify an alternate path as a command line parameter when you run make.

krayon007 picture krayon007 on 26 Jan 2021
👍1

I've been snowed for the last few weeks, but finally getting round to testing this today... will let you know how I get on

1.02g-fips does not support TLSv1.2 or TLSv1.3, which is required to connect to the mesh server by default... But you can always modify the server if need be

THAT may be a (bloody) showstopper, I didn't realize that ... bear with me, working on how to address that particular gotcha... In the interests of ploughing forward though, you make reference to the fact that the server could be reconfigured to permit TLS1.0? Is there any documentation on that front?

D4V3M0NK picture D4V3M0NK on 18 Feb 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

veitw picture veitw  路  4Comments
MailYouLater picture MailYouLater  路  3Comments
petervanv picture petervanv  路  3Comments
LPJon picture LPJon  路  3Comments
whalehub picture whalehub  路  3Comments