aws-sdk-ruby
aws-sdk-ruby copied to clipboard
Using the SDK with FIPS enabled
There appear to be a number of resources that require the use of OpenSSL::Digest::MD5
to operate:
- aws-sdk-core's http_checksum plugin
- aws-sdk-s3
- aws-sdk-sqs
Since MD5 is not approved for use with FIPS, is there any plan to modify the APIs or SDK in order to work when FIPS is enabled?
As a point of comparison, botocore performs detection MD5 availability and sets a MD5_AVAILABLE constant. In a few places, it will not attempt to perform an MD5 digest (while others will raise an error).
Additionally, aws-cfn-bootstrap makes use of the usedforsecurity
option to hashlib.new('md5')
to allow the use of MD5 when not used for the purpose of security. This allows it to fetch objects from S3. I'm not aware of any similar option in Ruby's OpenSSL/Digest libraries, but maybe an alternative could be found.
Hey - yeah this is unfortunately a known limitation (see #2397). I wasn't aware of the usedforsecurity
option - if we can find support (or if its eventually added) to Ruby's OpenSSL libraries we could use that. In the meantime - I'll leave this open as a feature request and update if there are any new options or API changes.
Adding reference to https://github.com/aws/aws-sdk-ruby/issues/2645 as well...
There are upcoming changes that will add support for using user defined/flexible checksums, see: #2667. This is just the start, as operations/services need to add support for this trait, but it does provide a path in the future for letting users avoid md5 and the http_checksum plugin.
This is excellent! Thank you for the update.
An now, with version 1.113.0 of aws-sdk-s3
, S3 now supports setting flexible checksums - allowing you to avoid using md5 and use instead another, user selected checksum. See:
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
@alextwoods I don't think this solves the aws-sdk-sqs
case yet.
Does https://github.com/aws/aws-sdk-ruby/discussions/2706 solve the issue? i.e. using the :use_fips_endpoint
option?
@akostadinov That works for S3 -- We ended up solving the SQS issue by setting verify_checksums: false
. I would like to see better support for FIPS + checksums, though.
I've created a parent issue in the aws-sdk repo, since this is a service API feature request.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.