Lets-Encrypt SSL Certificate Useful Commands
You might need to put sudo before above command. The command will show details…
February 26, 2021
In this post, we will see
Note: I will not talk about what FIPS is all about.
Note: I have run below investigation on Centos-7
FROM centos:7
RUN yum update -y
RUN yum -y install git libffi-devel libffi libxml2-devel libxslt-devel libjpeg-devel zlib-devel \
make cmake gcc wget bzip2-devel sqlite-devel curl \
&& yum groupinstall -y 'Development Tools'
ENV OPENSSL_FIPS=1
RUN mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://www.openssl.org/source/openssl-fips-2.0.16.tar.gz \
&& curl -O https://www.openssl.org/source/openssl-1.0.2t.tar.gz \
&& tar -xvf openssl-fips-2.0.16.tar.gz \
&& cd openssl-fips-2.0.16 \
&& ./config \
&& make install \
&& cd ../ \
&& rm -f openssl-fips-2.0.16.tar.gz \
&& rm -rf ./openssl-fips-2.0.16 \
&& tar -xvf openssl-1.0.2t.tar.gz \
&& cd openssl-1.0.2t \
&& ./config shared fips no-ssl2 no-ssl3 \
&& make depend \
&& make install \
&& echo "/usr/local/ssl/lib" > /etc/ld.so.conf.d/openssl-1.0.2t.conf \
&& ldconfig -v \
&& ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl \
&& openssl version
Openssl provides FIPS enabled openssl source code, and we have to build it.
In above dockerfile
, we are also installing fips module as suggested by openssl.
Note: In above base image centos:7
, there was no prior openssl present.
Even if there is an old openssl present in your machine. We are installing it in a different folder: /usr/local/ssl
docker build -t my-fips-openssl .
$ openssl version
OpenSSL 1.0.2t-fips 10 Sep 2019
It is important to note that, even if we install FIPS enabled Openssl, its not like algorithms like md5
is straightaway rejected.
We need to ask Openssl to enable FIPS.
See example:
$ openssl md5 <file>
You will get a valid md5
Enabling FIPS
OPENSSL_FIPS=1 openssl md5 <file>
Error setting digest md5
140584782555024:error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:256:
This proves that this works.
Run below script and restart your host machine.
# Installing the dracut package
sudo yum install dracut-fips -y
# Taking backup of current initramfs
mv -v /boot/initramfs-$(uname -r).img{,.bak}
# Building FIPS enabled initramfs
dracut
# Setting kernel params
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
# This line is required in case someone runs grub2-mkconfig manually
sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
uuid=$(findmnt -no uuid /boot)
[[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}
# This line is required in case someone runs grub2-mkconfig manually
[[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub
Lets see, how we can enable FIPS in Openssl via Python 3.7
Lets see, how we can enable FIPS in Openssl via Python 3.9
You might need to put sudo before above command. The command will show details…
This will take backup of your passed database name, to the passed folder. It…
Introduction Twig is a powerful template engine for php. Drupal uses it heavily…
This is regarding the timeit implementation in python. The basic requirement…
Introduction Suppose you have a view, and you have configured your display as a…
Introduction In this post, we will see how we can apply a patch to Python and…
Introduction In this post we will see following: How to schedule a job on cron…
Introduction There are some cases, where I need another git repository while…
Introduction In this post, we will see how to fetch multiple credentials and…
Introduction I have an automation script, that I want to run on different…
Introduction I had to write a CICD system for one of our project. I had to…
Introduction Java log4j has many ways to initialize and append the desired…