aws-sdk-ruby icon indicating copy to clipboard operation
aws-sdk-ruby copied to clipboard

Published 20 hours ago verified publisher icon aws

Using the SDK with FIPS enabled

Open phene opened this issue 2 years ago • 9 comments

There appear to be a number of resources that require the use of OpenSSL::Digest::MD5 to operate:

  • aws-sdk-core's http_checksum plugin
  • aws-sdk-s3
  • aws-sdk-sqs

Since MD5 is not approved for use with FIPS, is there any plan to modify the APIs or SDK in order to work when FIPS is enabled?

As a point of comparison, botocore performs detection MD5 availability and sets a MD5_AVAILABLE constant. In a few places, it will not attempt to perform an MD5 digest (while others will raise an error).

Additionally, aws-cfn-bootstrap makes use of the usedforsecurity option to hashlib.new('md5') to allow the use of MD5 when not used for the purpose of security. This allows it to fetch objects from S3. I'm not aware of any similar option in Ruby's OpenSSL/Digest libraries, but maybe an alternative could be found.

phene avatar Feb 02 '22 22:02 phene

Hey - yeah this is unfortunately a known limitation (see #2397). I wasn't aware of the usedforsecurity option - if we can find support (or if its eventually added) to Ruby's OpenSSL libraries we could use that. In the meantime - I'll leave this open as a feature request and update if there are any new options or API changes.

alextwoods avatar Feb 03 '22 17:02 alextwoods

Adding reference to https://github.com/aws/aws-sdk-ruby/issues/2645 as well...

phene avatar Feb 03 '22 19:02 phene

There are upcoming changes that will add support for using user defined/flexible checksums, see: #2667. This is just the start, as operations/services need to add support for this trait, but it does provide a path in the future for letting users avoid md5 and the http_checksum plugin.

alextwoods avatar Feb 21 '22 20:02 alextwoods

This is excellent! Thank you for the update.

phene avatar Feb 22 '22 04:02 phene

An now, with version 1.113.0 of aws-sdk-s3, S3 now supports setting flexible checksums - allowing you to avoid using md5 and use instead another, user selected checksum. See:

alextwoods avatar Feb 25 '22 18:02 alextwoods

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Feb 25 '22 18:02 github-actions[bot]

@alextwoods I don't think this solves the aws-sdk-sqs case yet.

phene avatar Feb 25 '22 19:02 phene

Does https://github.com/aws/aws-sdk-ruby/discussions/2706 solve the issue? i.e. using the :use_fips_endpoint option?

akostadinov avatar Jun 17 '22 17:06 akostadinov

@akostadinov That works for S3 -- We ended up solving the SQS issue by setting verify_checksums: false. I would like to see better support for FIPS + checksums, though.

phene avatar Jun 17 '22 17:06 phene

I've created a parent issue in the aws-sdk repo, since this is a service API feature request.

mullermp avatar Mar 20 '23 18:03 mullermp

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Mar 20 '23 18:03 github-actions[bot]