From: SASADA Koichi Date: 2012-12-20T13:37:12+09:00 Subject: [ruby-core:50999] Re: [ruby-trunk - Feature #6946] FIPS support? Some CI servers fail with this modification. http://rubyci.org/ and also on my development environment (Debian Squeeze) :) $ make test-all ./ruby: symbol lookup error: /mnt/sdb1/ruby/build/.ext/x86_64-linux/openssl.so: undefined symbol: FIPS_mode_set Could you check it? FYI: > $ LANG=C aptitude show openssl > Package: openssl > State: installed > Automatically installed: no > Version: 0.9.8o-4squeeze13 > Priority: optional > Section: utils > Maintainer: Debian OpenSSL Team > Uncompressed Size: 2355 k > Depends: libc6 (>= 2.7), libssl0.9.8 (>= 0.9.8m-1), zlib1g (>= 1:1.1.4) > Suggests: ca-certificates > Conflicts: ssleay (< 0.9.2b) > Description: Secure Socket Layer (SSL) binary and related cryptographic tools > This package contains the openssl binary and related tools. > > It is part of the OpenSSL implementation of SSL. > > You need it to perform certain cryptographic actions like: > * Creation of RSA, DH and DSA key parameters; > * Creation of X.509 certificates, CSRs and CRLs; > * Calculation of message digests; > * Encryption and decryption with ciphers; > * SSL/TLS client and server tests; > * Handling of S/MIME signed or encrypted mail. (2012/12/20 9:37), MartinBosslet (Martin Bosslet) wrote: > > Issue #6946 has been updated by MartinBosslet (Martin Bosslet). > > > OK, finally got it working. I added OpenSSL.fips_mode= to enable/disable FIPS mode manually. The test suite now automatically disables FIPS mode when running the tests. This worked for my FIPS-enabled version of OpenSSL. I have also added a few tests that specifically assert some things that would be expected to fail in FIPS mode (test_fips.rb). > > @Vit: Could you please confirm that this works for you, too? > > @mame: Sorry that I committed this to 2.0.0 even if you already assigned it for next minor. But I felt the approach to adding FIPS support so far was flawed (my mistake) and I wouldn't want a half-assed implementation see to make its way into 2.0.0 - I hope this is OK? > ---------------------------------------- > Feature #6946: FIPS support? > https://bugs.ruby-lang.org/issues/6946#change-34880 > > Author: vo.x (Vit Ondruch) > Status: Closed > Priority: Normal > Assignee: MartinBosslet (Martin Bosslet) > Category: ext > Target version: next minor > > > =begin > Hi, running the test suite on FIPS enabled system using > > $ find test/ -type f -name test_*.rb -exec make test-all TESTS="-v '{}'" \; > > command with patch from #6938 applied, it gives me a plenty of errors (see attached output.txt file). There are two kind of errors as far as I understand, some are more or less test suite errors (e.g. #6938), which should be easy to fix, while some others (e.g. #6943) would need bigger changes. > > Is there any chance that Ruby will provide better support for FIPS and there errors get fixed? > =end > > > -- // SASADA Koichi at atdot dot net