Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fluent-Bit with FIPS and Kafka output: SSL routines::library has no ciphers #9663

Open
maxio89 opened this issue Nov 28, 2024 · 4 comments
Open

Fluent-Bit with FIPS and Kafka output: SSL routines::library has no ciphers #9663

maxio89 opened this issue Nov 28, 2024 · 4 comments
Labels
status: waiting-for-triage

Comments

@maxio89
Copy link

maxio89 commented Nov 28, 2024

Bug Report

Describe the bug
We built Fluent Bit against OpenSSL 3.4.0 with FIPS enabled and configured only FIPS provider.
It looks like that Fluent-Bit or Kafka output plugin doesn't support FIPS algorithms and they try to load the legacy.
Can we do something with that?

[2024/11/28 10:18:28] [ info] [fluent bit] version=3.2.0, commit=76910b2cc7, pid=1
...
[2024/11/28 10:18:28] [error] [openssl] could not create context
[2024/11/28 10:18:28] [error] [tls] could not create TLS backend
...
[2024/11/28 10:18:28] [error] [output:kafka:kafka_app_logs] fluent-bit#producer-1: [thrd:app]: error:0A0000A1:SSL routines::library has no ciphers
[2024/11/28 10:18:28] [error] [output:kafka:kafka_app_logs] fluent-bit#producer-1: [thrd:app]: error:0A0000A1:SSL routines::library has no ciphers
[2024/11/28 10:18:28] [error] [output:kafka:kafka_app_logs] failed to create producer: SSL_CTX_new() failed: error:0A0000A1:SSL routines::library has no ciphers

Expected behavior
OpenSSL context is created with FIPS enabled.

Your Environment
Kubernetes and Ubuntu 22.04.

Additional context
We need to enable FIPS to be FedRAMP compliant.
@patrick-stephens
Copy link
Contributor

We're going to need a lot more details on how you built and how you're running.

@maxio89
Copy link
Author

maxio89 commented Nov 29, 2024

Here is my Dockerfile.
I will try to prepare a docker compose with Kafka and SSL enabled.

@maxio89
Copy link
Author

maxio89 commented Dec 3, 2024

I pushed my changes here.
It looks like working Kafka is not needed to reproduce the problem.
Simple fluent-bit instance with Kafka output and SSL configured is more than enough.

fluent-bit-1  | [2024/12/03 22:48:17] [2024/12/03 22:48:17] [error] [output:kafka:kafka.0] failed to create producer: SSL_CTX_new() failed: ssl/ssl_lib.c:3977:SSL_CTX_new_ex error:0A0000A1:SSL routines::library has no ciphers
fluent-bit-1  | [engine] caught signal (SIGSEGV)
fluent-bit-1  | #0  0xaaaac8539a87      in  flb_out_kafka_destroy() at plugins/out_kafka/kafka_config.c:232
fluent-bit-1  | #1  0xaaaac8539f73      in  flb_out_kafka_create() at plugins/out_kafka/kafka_config.c:173
fluent-bit-1  | #2  0xaaaac8538277      in  cb_kafka_init() at plugins/out_kafka/kafka.c:77
fluent-bit-1  | #3  0xaaaac844bc57      in  flb_output_init_all() at src/flb_output.c:1314
fluent-bit-1  | #4  0xaaaac845a5df      in  flb_engine_start() at src/flb_engine.c:841
fluent-bit-1  | #5  0xaaaac8439ce3      in  flb_lib_worker() at src/flb_lib.c:763
fluent-bit-1  | #6  0xffff84e7ee8f      in  start_thread() at reate.c:442
fluent-bit-1  | #7  0xffff84ee7b1b      in  thread_start() at sysv/linux/aarch64/clone.S:79
fluent-bit-1  | #8  0xffffffffffffffff  in  ???() at ???:0
fluent-bit-1 exited with code 133

To run the example just run docker-compose up or run ./run-example.sh.

Please let me know if you need anything else.
We're really looking for some advice here.
Thanks.

@maxio89
Copy link
Author

maxio89 commented Dec 17, 2024

Hi Guys.
Are you going to take a look at this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxio89 @patrick-stephens