OpenSSL::SSL::SSLContext.new returns SSL_CTX_new: library has no ciphers
ashiqueps opened this issue · comments
Hi,
I have built the OpenSSL 3.0.11 with fips and legacy providers enabled. Whenever I invoke OpenSSL::SSL::SSLContext.new with fips mode enabled, I am getting the library has no ciphers error. I've tried multiple other build options for OpenSSL as well, but that is also not helping.
irb(main):001:0> require "openssl"
=> true
irb(main):002:0> OpenSSL::SSL::SSLContext.new
=> #<OpenSSL::SSL::SSLContext:0x000001f3d47f1f60 @verify_hostname=false, @verify_mode=0>
irb(main):003:0> OpenSSL.fips_mode=true
=> true
irb(main):004:0> OpenSSL::SSL::SSLContext.new
(irb):4:in `new': SSL_CTX_new: library has no ciphers (OpenSSL::SSL::SSLError)
from (irb):4:in `<main>'
from C:/opscode/chef-workstation/embedded/lib/ruby/gems/3.1.0/gems/irb-1.4.1/exe/irb:11:in `<top (required)>'
from C:/opscode/chef-workstation/embedded/bin/irb:33:in `load'
from C:/opscode/chef-workstation/embedded/bin/irb:33:in `<main>'
irb(main):005:0>ruby/openssl version: 3.2.0
OpenSSL: 3.0.11
Can anyone help me point out why this is happening, or is there something that I am missing here?
Why are you using with fips and "legacy" providers in the FIPS case? I think using fips and base providers is typical in the case.
According to the following document, I am not sure if the legacy provider works in the FIPS case.
https://www.openssl.org/docs/manmaster/man7/fips_module.html
Applications written to use the OpenSSL 3.0 FIPS module should not use any legacy APIs or features that avoid the FIPS module. Specifically this includes:
You can check the following links.
I would also recommend using the ruby/openssl latest version 3.2.0 by installing it by gem install openssl, or using Ruby 3.3 bundling openssl gem 3.2.0 in the FIPS use case if it is no problem for you.
Hi @junaruga
I appreciate you for looking into this issue. We are using WinRM gem which internally uses rubyntlm gem. This gem still uses algorithms which are marked as legacy in OpenSSL v3. It was working fine when we were on OpenSSL 1.1.1t and started breaking when we upgraded it to version 3. I also had the suspicion that the use of legacy providers might mess up things and tried without it and I was still getting the same issue.
Also, I'm sorry for mentioning the incorrect version of ruby/openssl in the issue; I am using v3.2.0 and updated the issue description as well. We are using Ruby 3.1.0 and by default, it uses ruby/openssl 3.0.0. When started testing FIPS mode I got the error that it doesn't support FIPS mode and I upgraded it to 3.2.0.
I'll compile it from the source and try the approaches mentioned in the links you shared. Thanks a lot for looking into this.
I see. Thank you for sharing your situation.
I noticed perhaps you might misunderstand how to use OpenSSL.fips_mode.
Running OpenSSL.fips_mode=true is just only to set the default property query fips=yes documented at fips_module(7). It is equivalent calling the OpenSSL API: EVP_default_properties_enable_fips(NULL, 1). And it doesn't load fips provider. You need to set up the OpenSSL config file and/or maybe need to call Ruby OpenSSL methods in OpenSSL::Provider to load the fips provider manually.
I tested OpenSSL::SSL::SSLContext.new in FIPS on my local, and I confirmed it worked on my environment where OpenSSL loading fips and base providers.
- Ruby: the latest master branch: ruby 3.4.0dev (2024-01-09T09:47:15Z master 38bc107f0b) [x86_64-linux]
- Ruby OpenSSL (ruby/openssl): the current latest master branch commit 1fa9fc5
- OpenSSL: 3.0.12 (the latest version of the OpenSSL 3.0 series)
$ which ruby
~/.local/ruby-3.4.0dev-debug-38bc107f0b/bin/ruby
$ ruby -v
ruby 3.4.0dev (2024-01-09T09:47:15Z master 38bc107f0b) [x86_64-linux]
$ $HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/bin/openssl version
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
You can check the loaded providers by the following openssl command.
$ OPENSSL_CONF=$HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/ssl/openssl_fips.cnf \
$HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/bin/openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.12
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.12
status: active
Here is the testing script.
$ cat test.rb
require "openssl"
puts "Providers: #{OpenSSL::Provider.provider_names.join(", ")}"
puts "FIPS enabled: #{OpenSSL.fips_mode}"
p OpenSSL::SSL::SSLContext.new
The OpenSSL::SSL::SSLContext.new works in non-FIPS case.
On the ruby/openssl project directory:
$ pwd
/home/jaruga/git/ruby/openssl
Run the script, loading the openssl library rather than the default openssl used as standard library in Ruby.
$ ruby -I ./lib test.rb
Providers: default
FIPS enabled: false
#<OpenSSL::SSL::SSLContext:0x00007fcf9d93d400 @verify_mode=0, @verify_hostname=false>
The OpenSSL::SSL::SSLContext.new also works in FIPS case.
$ OPENSSL_CONF=$HOME/.local/openssl-3.0.12-fips-debug-c3cc0f1386/ssl/openssl_fips.cnf \
ruby -I ./lib test.rb
Providers: fips, base
FIPS enabled: true
#<OpenSSL::SSL::SSLContext:0x00007f67bc9fd410 @verify_mode=0, @verify_hostname=false>
Hi @junaruga,
I was following this documentation to set up the FIPS for OpenSSL. Updating the openssl.cnf was not mentioned on that page and I missed that part. And the issue happened because the fips provider was not enabled in the opnessl conf. After enabling that, this is working fine for me.
Thanks a lot for helping me out with this issue.
OK. I am glad you solved your issue. Let me close this ticket.