FIP mode enable


#1

Hi!
Is there any plan to have Kong release with FIPS mode?

nowadays I am compiling PENRESTY with FIPS-mode ENABLE

Dockerfile example:

######### Image Configuration #########
RUN apt-get -yqq update --fix-missing &&
apt-get -yqq install
git
netcat
libpcre3
dnsmasq
procps
unzip
build-essential
libpcre3
libpcre3-dev &&
apt-get build-dep nginx

######### Building and Installing OpenSSL FIPS Object Module #########
ENV OPENSSL_FIPS_VERSION 2.0.16
COPY openssl-fips-{OPENSSL_FIPS_VERSION}.tar.gz /tmp RUN tar -xzf /tmp/openssl-fips-{OPENSSL_FIPS_VERSION}.tar.gz -C /tmp &&
cd /tmp/openssl-fips-${OPENSSL_FIPS_VERSION} &&
./config && make && make install

Building and Installing OpenSSL

ENV OPENSSL_VERSION 1.0.2k
COPY openssl-{OPENSSL_VERSION}.tar.gz /tmp RUN tar -xzf /tmp/openssl-{OPENSSL_VERSION}.tar.gz -C /tmp &&
cd /tmp/openssl-${OPENSSL_VERSION} &&
./config fips shared &&
make &&
make install &&
mv /usr/bin/openssl /usr/bin/openssl_orig &&
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ENV OPENSSL_DIR /usr/local/ssl
ENV CRYPTO_DIR /usr/local/ssl

######### Building and Installing OPENRESTY with FIPS-mode ENABLE #########
ENV OPENRESTY_VERSION 1.11.2.5
COPY openresty-{OPENRESTY_VERSION}.tar.gz /tmp RUN tar -xzf /tmp/openresty-{OPENRESTY_VERSION}.tar.gz -C /tmp &&
cd /tmp/openresty-{OPENRESTY_VERSION} && \ service dnsmasq stop && \ sed -i '/ SSL_library_init();/a FIPS_mode_set(1);' bundle/nginx-1.11.2/src/event/ngx_event_openssl.c && \ ./configure \ --with-pcre-jit \ --with-ipv6 \ --with-http_realip_module \ --with-http_ssl_module \ --with-openssl=/tmp/openssl-{OPENSSL_VERSION}
–with-http_stub_status_module
–with-http_v2_module &&
make &&
make install
ENV PATH="/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:${PATH}"

######### Install lua and luarocks #########

ENV LUAROCKS_VERSION 2.4.3
COPY luarocks-{LUAROCKS_VERSION}.tar.gz /tmp RUN tar -xvf /tmp/luarocks-{LUAROCKS_VERSION}.tar.gz -C /tmp &&
cd /tmp/luarocks-${LUAROCKS_VERSION} &&
./configure
–lua-suffix=jit
–with-lua=/usr/local/openresty/luajit
–with-lua-include=/usr/local/openresty/luajit/include/luajit-2.1 &&
make build &&
make install

sudo make bootstrap

#RUN ./configure && sudo make bootstrap
#RUN luarocks path --bin

######### Install Kong #########
ENV KONG_VERSION 0.12.2-0
#ENV KONG_VERSION 0.11.2
WORKDIR /opt
RUN luarocks unpack kong {KONG_VERSION} && \ cd kong-{KONG_VERSION}/kong &&
luarocks make &&
chmod 755 bin/* &&
mkdir -p /etc/kong

ENV PATH="/opt/kong-{KONG_VERSION}/kong/bin:{PATH}"

RUN luarocks install kong ${KONG_VERSION}