php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #54339 FIPS Support
Submitted: 2011-03-21 19:21 UTC Modified: 2021-12-18 21:49 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: jyerge at tenable dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 5.3.6 OS: Linux - Redhat EL5
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-03-21 19:21 UTC] jyerge at tenable dot com
Description:
------------
It appears that there's no FIPS support in the OpenSSL functionality, correct me 
if I'm wrong. When PHP is operating as a SAPI under Apache2, any calls to 
RSA_public_decrypt causes the following error:

SSL Library Error: 67674254 error:0408A08E:rsa 
routines:RSA_public_decrypt:operation not allowed in fips mode

This is due to the fact that PHP is calling RSA_public_decrypt directly, which 
isn't allowed when Apache is operating in FIPS mode (see SSLFIPS directive in the 
Apache2 documentation). The workaround is to use the EVP_Verify* functions in the 
OpenSSL library - at least that's what I've been reading.

Apache 2.2.17
PHP 5.3.6
OpenSSL 0.9.8r w/OpenSSL FIPS 1.2.2 module


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-09-29 16:31 UTC] cmb@php.net
That would only make sense when we drop support for OpenSSL 1.1,
since there is no FIPS module available for that version[1].  And
even for OpenSSL 3.0, the FIPS module has only very recently
submitted for validation[2].

[1] <https://wiki.openssl.org/index.php/FIPS_modules>
[2] <https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/>
 [2021-12-18 21:49 UTC] bukka@php.net
We can introduce a feature that is not available in lower OpenSSL version so there's no limitation of waiting for OpenSSL 1.1.1 to be dropped. Also the validation is not what is requested and shouldn't that much matter for us. What's important is just if FIPS provider works well with PHP.

I think it should be already possible to have FIPS provider support in OpenSSL 3.0 as it should be all configurable (PHP allows specify explicit openssl conf based on operation). See https://wiki.openssl.org/index.php/OpenSSL_3.0#Using_the_FIPS_Module_in_applications for some details how to configure it. From a quick look I don't think we should need programmatic changes but might need to double check that.

I think it might be worth to keep this open as we should at least double check that it all works.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sat Aug 13 00:05:43 2022 UTC