OpenSSL instead of LibreSSL? (FIPS mode ...)

FoundationDB’s TLS system uses LibreSSL “by default”. While I applaud that choice, we’re looking at some deployments where we’ll need to be using FIPS-140-2 validated cryptographic modules, and the LibreSSL folks have taken a principled stand against ever going down that road.

Is the TLS integration designed to support other implementations besides LibreSSL via changes to the build system?

A long long time ago, there was a release called FDB 5.2. In these prehistoric times, TLS code existed as a plugin, under the idea that alternative TLS implementations could be used. This plugin caused a great headache for both operations and testing. Operationally, it added another shared library that needed to be deployed alongside the client library, that all client libraries needed to be able to use the same version of the TLS plugin, and understand how to find it. In testing, the TLS plugin needed to be available for simulation testing, as TLS being enabled or disabled would affect determinism. Thus, as it was causing a headache for developers and operators of FDB alike, it was just compiled into FDB as a static library from FDB 6.0 onwards.

However, the code itself for TLS is still written as a plugin and still loaded as a plugin, using the TLS Plugin framework. This leaves the door pretty open for someone to go and undo the changes that made LibreSSL compiled-in and re-enable the now ignored --tls_plugin flag and options to allow specifying an additional external TLS library, and then make a way to configure which TLS implementation to use.

1 Like

After some investigations into how to speed up TLS connection times, we’ve discovered that OpenSSL appears to have some optimizations that LibreSSL, and that Boost.SSL exists, which would drastically simplify our TLS code. We’re likely going to be landing changes soon to cut the TLS implementation over to that, and statically link OpenSSL into FDB, which should then make getting FIPS also available a much easier process for you.

1 Like