FoundationDB’s TLS system uses LibreSSL “by default”. While I applaud that choice, we’re looking at some deployments where we’ll need to be using FIPS-140-2 validated cryptographic modules, and the LibreSSL folks have taken a principled stand against ever going down that road.
Is the TLS integration designed to support other implementations besides LibreSSL via changes to the build system?
A long long time ago, there was a release called FDB 5.2. In these prehistoric times, TLS code existed as a plugin, under the idea that alternative TLS implementations could be used. This plugin caused a great headache for both operations and testing. Operationally, it added another shared library that needed to be deployed alongside the client library, that all client libraries needed to be able to use the same version of the TLS plugin, and understand how to find it. In testing, the TLS plugin needed to be available for simulation testing, as TLS being enabled or disabled would affect determinism. Thus, as it was causing a headache for developers and operators of FDB alike, it was just compiled into FDB as a static library from FDB 6.0 onwards.
After some investigations into how to speed up TLS connection times, we’ve discovered that OpenSSL appears to have some optimizations that LibreSSL, and that Boost.SSL exists, which would drastically simplify our TLS code. We’re likely going to be landing changes soon to cut the TLS implementation over to that, and statically link OpenSSL into FDB, which should then make getting FIPS also available a much easier process for you.
Personally I’d prefer to statically build in LibreSSL or OpenSSL from ports, and then have a TLS enabled FDB that has no external TLS dependency. If that’s not possible I will probably make TLS an enabled-by-default option.
Hi Dave,
I know this is an old topic, but I would also want to understand how that FIPS compliance work. From the look of the conversation, as long as I can compile say with a version of openssl that is FIPS like what you have in your case (openssl 1.1.1f), that will make it compliance when running on a FIPS enabled host? Is that right? Thus, I just need to make sure if I use the docker file build env. that FDB provide, or I try to compile it on a RHEL7/Centos7 host, that should work?