From: "jaruga (Jun Aruga) via ruby-core" <ruby-core@...>
Date: 2023-05-09T09:01:22+00:00
Subject: [ruby-core:113432] [Ruby master Misc#19608] Being a co-maintainer of the ruby/openssl for the OpenSSL FIPS mode

Issue #19608 has been updated by jaruga (Jun Aruga).


For someone who is interested in how to debug the ruby/openssl with OpenSSL 3 FIPS mode, I created a document about the topic below.

https://hackmd.io/@jaruga/ryDnksRm2


----------------------------------------
Misc #19608: Being a co-maintainer of the ruby/openssl for the OpenSSL FIPS mode
https://bugs.ruby-lang.org/issues/19608#change-103004

* Author: jaruga (Jun Aruga)
* Status: Assigned
* Priority: Normal
* Assignee: matz (Yukihiro Matsumoto)
----------------------------------------
## Motivation and context

Recently I have been working for the [ruby/openssl](https://github.com/ruby/openssl) to support OpenSSL 3 FIPS mode such as sending pull-requests and reporting issues to the [OpenSSL project](https://github.com/openssl/openssl). The related issue ticket is [here](https://github.com/ruby/openssl/issues/603).

Currently a challenge of the ruby/openssl is that it doesn't work well on the OpenSSL FIPS mode, and I want ruby/openssl to work on it by adding the OpenSSL 3 FIPS mode case to the CI, and by adding more FIPS related unit tests and features. To solve this challenge, I would like to be a co-maintainer of the ruby/openssl for the FIPS mode related things. What do you think?

## What is FIPS mode?

For someone who is interested in knowing the FIPS mode. Let me share the related documents below. In my understanding, FIPS mode is a security policy developed by US government. In some cases, the shipped Linux OS systems need to follow this policy. And OpenSSL has a feature to enable the FIPS mode. The README is [here](https://github.com/openssl/openssl/blob/master/README-FIPS.md). And there can be FIPS specific issues in the ruby/openssl with the OpenSSL FIPS mode enabled.

FIPS related documents:
* [FIPS Wikipedia](https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards)
* [Red Hat Enterprise Linux (RHEL)](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#con_federal-information-processing-standard-fips_assembly_installing-the-system-in-fips-mode)
* [Amazon Linux](https://aws.amazon.com/compliance/fips/)
* [SUSE Linux](https://www.suse.com/support/security/certifications/)
* [Ubuntu](https://ubuntu.com/security/certifications/docs/fips)

## Past FIPS related issue tickets

As a reference, I just found some old issue tickets below. It is about OpenSSL 1.0 and 1.1 FIPS mode.

* https://bugs.ruby-lang.org/issues/6946
* https://bugs.ruby-lang.org/issues/19073




-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/