Cryptographic functions using OpenSSL fail in a container running on a Linux kernel with FIPS enabled

[ddunkin]

Description

Cryptographic functions using OpenSSL fail when running in a container based on Ubuntu 24.04 (Noble) running on a Linux kernel with FIPS enabled. OpenSSL tries to load its fips module, which is not present in the container. When calling a crypto function in .NET, the result is an interop exception.

See https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593 for Ubuntu adding the kernel FIPS detection.

Reproduction Steps

1. Build a container in .NET 8 with the noble family with this program:

   using System.Security.Cryptography;
   using System.Text;
   
   var builder = WebApplication.CreateBuilder(args);
   var app = builder.Build();
   
   app.MapGet("/", (string? message) => message ?? "Hello World!");
   app.MapGet("/hash", (string? message) => Convert.ToBase64String(SHA384.HashData(Encoding.UTF8.GetBytes(message     ?? "Hello World!"))));
   app.MapGet("/env", () => new EnvironmentInfo());
   
   app.Run();
   

   Code and prebuilt container images available at https://github.com/ddunkin/EchoServer.

2. Run the container on a kernel with FIPS enabled.

3. Hit the /hash route.

Expected behavior

The route should return a hash of the message.

Actual behavior

Interop+Crypto+OpenSslCryptographicException: error:03000086:digital envelope routines::initialization error
   at System.Security.Cryptography.HashProviderDispenser.OneShotHashProvider.HashData(String hashAlgorithmId, ReadOnlySpan`1 source, Span`1 destination)
   at System.Security.Cryptography.SHA384.TryHashData(ReadOnlySpan`1 source, Span`1 destination, Int32& bytesWritten)
   at System.Security.Cryptography.SHA384.HashData(ReadOnlySpan`1 source, Span`1 destination)
   at System.Security.Cryptography.SHA384.HashData(ReadOnlySpan`1 source)
   at System.Security.Cryptography.SHA384.HashData(Byte[] source)

Regression?

No response

Known Workarounds

Set OPENSSL_FORCE_FIPS_MODE=0 in the environment in the container.

Configuration

dotnet publish built container
.NET 8.0
Ubuntu 24.04
x64
FIPS enabled in the kernel

We're seeing this in some Azure Container Apps environments where we don't have control of the kernel.

Other information

I set OPENSSL_FORCE_FIPS_MODE in my container with this in my csproj:

  <ItemGroup>
    <!--
    OpenSSL detects FIPS support in the Linux kernel in Ubuntu 24.04, but the container does not contain the FIPS module.
    https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2056593
    This causes .NET cryptographic functions that use OpenSSL to fail in imabes based on Ubuntu 24.04 (noble).
    This environment variable disables FIPS mode in OpenSSL.
    -->
    <ContainerEnvironmentVariable Include="OPENSSL_FORCE_FIPS_MODE" Value="0" />
  </ItemGroup>

Consider setting OPENSSL_FORCE_FIPS_MODE=0 in all noble base images. If someone wants FIPS support, they have to add customize the image to add the libraries anyway and can override the environment variable then.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[bartonjs]

I agree with the issue filer that this is really an issue with our container images, not an issue with the product.

One of a) the container needs to not have the kernel in FIPS mode (whatever that phrase means), b) it should have the OpenSSL-FIPS module so that the crypto stack can load "correctly", or c) it should set that environment variable and maybe have some FIPS notes somewhere saying that the e-var needs to be cleared and the module obtained for anyone who wants to be FIPSy.

@jeffhandley I'm not really sure who would field this, or if this is even the right repository. Can you help route?

[jkotas]

This belongs to https://github.com/dotnet/dotnet-docker

[richlander]

We looked at FIPS in the past and have used the following post for guidance.

https://ubuntu.com/blog/fips-ubuntu-container-security-updates

We will look reach out to our partners for updated guidance. Is this a breaking change in Noble, when FIPS is enabled in the kernel?

[bradygaster]

cc @anthonychu from Container Apps team

[tobhe]

Hi, author of the Ubuntu OpenSSL change here. @ddunkin you analysis looks correct, the problem is that on 24.04 OpenSSL will only work with the FIPS provider library if the kernel is running in FIPS mode. If you enable FIPS the official way we make sure everything is in place. This is to make sure we don't accidentally fall back to a non-fips implementation.

Obviously this can cause problems in containers or bundled applications where the provider library is not available but I would stay it works as intended. If you run a FIPS kernel you probably don't want this so we block it.

[ddunkin]

Thanks for the confirmation. My app doesn't need FIPS, but we deploy in Azure Container Apps and don't have control over the kernel. ACA changed the kernel and our app started crashing. Given deploying containers in these cloud environments is increasingly common where there is little or no control over the kernel, I expect the dotnet container images to be built for as much compatibility as possible.

[tobhe]

This is definitely something to consider, also on the Ubuntu side. Our thinking was: if you run a FIPS kernel on your host you want everything to be compliant, including containers. Otherwise it would be easy to accidentally break your compliance. Maybe we need to come up with a better way to handle this in OpenSSL.

[richlander]

I have reached out to the ACA team for help. It's a holiday weekend so it will take a few more days.

@tobhe -- Thanks so much for your help! Can you tell me if the behavior is specific to an Ubuntu kernel/host or if a Noble container will have the same behavior for any FIPS kernel? I assume the latter, but wanted to get clarity on that. I'm a bit out of my wheelhouse on this, but I believe that the default Azure Linux and Amazon Linux offerings are FIPS capable. I'm not sure if they are enabled by default. I wonder if that's what we're running into with ACA, if they are running an Azure Linux (AKA Mariner) host in a default mode and FIPS just comes with that. I'll ask our team for clarity on that.

[richlander]

Hey @ddunkin -- please reach out to me at dotnet@microsoft.com and then we can get a little more information. We want to make a change to your ACA environment as a test, if you are willing.