FIPS 140-2 is a cryptographic functionality standard that is often required when handling sensitive information, particularly in government and regulated industries. Support for FIPS was a community request that has been addressed thanks to numerous contributors. Come hear about the journey taken by the Node.js community to allow building and testing a FIPS capable runtime. The talk will cover FIPS requirements, and the specific enablement, test updates, and changes to dependencies that were required. We’ll include code samples and walkthroughs, and end with an overview of how to use FIPS capable Node.js through sample deployments in the cloud.
2. About Michael Dawson
Loves the web and building software (with Node.js!)
Senior Software Developer @ IBM
IBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
michael_dawson@ca.ibm.com
Twitter: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282
9. Just using FIPs capable Node.js is not enough
You have to use correctly
Demonstrate to ‘customer’ you did the right thing
It is, however, an enabler
9
Application compliance
10. May 2015 – discussion starts
–https://github.com/nodejs/node-v0.x-archive/issues/25463
Jun 2015 –PR 1890
Nov 2015 - Issue 3760
–PRs 3752, 3753, 3754, 3755,
3756, 3757, 3758, 3759
–Added to community CI
10
Community History
11. Dec 2015 - NPM cleanup
Feb 2016 - Command Line improvement
11
Community History
12. Command Line:
--enable-fips
--force-fips
API
–crypto.fips
OpenSSL Config file
12
New API and runtime options (v6.x)
[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes