Description
Background
Previously we used to have a CI configuration for testing Node.js with FIPS enabled back when we were using OpenSSL 1.0.2. We stopped in Node.js 10.x when we moved to OpenSSL 1.1.x as there was no upstream OpenSSL support for FIPS in that version. With OpenSSL 3, FIPS is back, this time as an OpenSSL 3 provider.
I've started work on re-adding a FIPS enabled configuration to our CI. For now this is in a temporary separate job as there are test failures.
richardlau-node-test-commit-linux-containered is based on node-test-commit-linux-containered with extra configurations, one of which, ubuntu2204_sharedlibs_openssl30fips_x64, is for FIPS enablement with OpenSSL 3. I've put together a slimmed down version of the container we're using in /~https://github.com/richardlau/ubuntu2204_fips for replication outside of the CI.
List of failing tests with FIPS enabled
e.g. https://ci.nodejs.org/job/richardlau-node-test-commit-linux-containered/14/nodes=ubuntu2204_sharedlibs_openssl30fips_x64
(on a929522)
- parallel.test-crypto-fips crypto: remove OPENSSL_FIPS guard for OpenSSL 3 #48392
- parallel.test-crypto-key-objects
- parallel.test-crypto-worker-thread
- addons.openssl-providers.test-legacy-provider-config
- parallel.test-crypto
- parallel.test-crypto-authenticated-stream
- parallel.test-crypto-certificate
- parallel.test-crypto-async-sign-verify
- parallel.test-crypto-authenticated
- parallel.test-crypto-des3-wrap
- parallel.test-crypto-dh-stateless
- parallel.test-crypto-getcipherinfo
- parallel.test-crypto-key-objects-messageport
- parallel.test-crypto-keygen
- parallel.test-crypto-keygen-deprecation
- parallel.test-crypto-no-algorithm
- parallel.test-crypto-private-decrypt-gh32240
- parallel.test-crypto-dh-odd-key
- parallel.test-crypto-rsa-dsa
- parallel.test-crypto-scrypt
- parallel.test-crypto-sign-verify
- parallel.test-https-agent-additional-options
- parallel.test-https-agent-session-eviction
- parallel.test-https-pfx
- parallel.test-tls-alert
- parallel.test-tls-cli-max-version-1.3
- parallel.test-tls-cli-max-version-1.2
- parallel.test-tls-cli-min-version-1.1
- parallel.test-tls-cli-min-version-1.0
- parallel.test-tls-cli-min-version-1.3
- parallel.test-tls-cli-min-version-1.2
- parallel.test-tls-client-getephemeralkeyinfo
- parallel.test-tls-client-mindhsize
- parallel.test-tls-ecdh-multiple
- parallel.test-tls-dhe
- parallel.test-tls-getprotocol
- parallel.test-tls-multi-key
- parallel.test-tls-multi-pfx
- parallel.test-tls-min-max-version
- parallel.test-tls-passphrase
- parallel.test-tls-pfx-authorizationerror
- parallel.test-tls-session-cache
- parallel.test-tls-set-ciphers
- parallel.test-tls-write-error
- parallel.test-webcrypto-export-import
- parallel.test-webcrypto-keygen
- parallel.test-webcrypto-sign-verify-ecdsa
- parallel.test-webcrypto-sign-verify-eddsa
- parallel.test-webcrypto-sign-verify-hmac
- parallel.test-webcrypto-sign-verify-rsa
- parallel.test-webcrypto-sign-verify
- parallel.test-webcrypto-wrap-unwrap
- sequential.test-async-wrap-getasyncid
- wpt.test-webcrypto
cc @nodejs/crypto