Run Ruby applications in FIPS mode on Red Hat Enterprise Linux

Cryptographic standards can be complex, especially if you need to ensure your applications meet Federal Information Processing Standards (FIPS) requirements. This article shows you how to run applications written in Ruby in FIPS mode on Red Hat Enterprise Linux (RHEL). 

RHEL supports FIPS mode in system level, and Ruby can operate in this mode through its standard library, Ruby OpenSSL (the openssl gem). I'll provide insights and instructions, with examples from Red Hat Enterprise Linux 10, based on my contributions to the upstream Ruby project.

Behind the scenes: My upstream contribution for FIPS

For a while now, I've been working to ensure that Ruby plays nicely with the OpenSSL FIPS module. My contribution to the upstream Ruby OpenSSL project for FIPS started when a FIPS-specific bug was identified in Ruby OpenSSL. I noticed its continuous integration (CI) tests were missing FIPS-specific coverage.

To address this gap and help make Ruby more secure for everyone, I proposed becoming a co-maintainer of the Ruby OpenSSL project, focusing on FIPS. The Ruby project approved my proposal, and I have been contributing to this effort ever since. Working with the Ruby project has been a great learning experience, and I am grateful for the kindness and guidance of the Ruby project members and contributors.

Recommended RHEL and Ruby versions for FIPS mode

For the best experience running Ruby in RHEL FIPS mode, consult the recommended combinations of RHEL and Ruby versions. While upstream Ruby OpenSSL versions 3.2.0 and later fully support FIPS mode, Red Hat has applied patches to earlier Ruby OpenSSL versions in RHEL to improve FIPS mode functionality.

The following table provides the recommended RHEL and Ruby version combinations.

Confirming your FIPS environment

Before you begin, ensure your RHEL system is running in FIPS mode.

Next, install the Ruby RPM package:

# dnf install ruby

Once installed, you can confirm your system environment is FIPS-enabled by performing the following two checks in OpenSSL and Ruby.

1. Verify the loaded OpenSSL providers

Using the openssl command is an easy way to check this. Verify that OpenSSL is loading the fips provider along with the base and/or default providers. Run the openssl list -providers command to see the active providers:

$ openssl list -providers
Providers:
 base
   name: OpenSSL Base Provider
   version: 3.2.2
   status: active
 default
   name: OpenSSL Default Provider
   version: 3.2.2
   status: active
 fips
   name: Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider
   version: 3.0.7-395c1a240fbfffd8
   status: active

You can also double-check this in Ruby, using the OpenSSL::Provider class (introduced in Ruby OpenSSL versions 3.2.0) to list the provider names. This tip is helpful if you want to create a Ruby application for FIPS checks or audit purposes. You can check the installed Ruby OpenSSL version by running the following command:

$ gem list openssl

*** LOCAL GEMS ***

openssl (default: 3.2.0)

Then you can check a list of the providers by running the following command:

$ ruby -ropenssl -e 'puts OpenSSL::Provider.provider_names'
default
fips
base

2. Check the fips=yes property of OpenSSL

The fips=yes property queries for FIPS-approved cryptographic implementations. OpenSSL in RHEL 10 and 9 provides the C-API EVP_default_properties_is_fips_enabled, which was added in the upstream OpenSSL 3.2. Additionally, OpenSSL in RHEL 10, 9, and 8 includes the RHEL-specific C-API FIPS_mode. Unfortunately, the OpenSSL CLI openssl command doesn't provide a way to check the property. However, you can check the FIPS status with Ruby's OpenSSL.fips_mode method, which is equivalent to these APIs.

$ ruby -ropenssl -e 'puts OpenSSL.fips_mode'
true

Handling prohibited cryptography algorithms in your Ruby application in FIPS mode

If your Ruby application encounters an FIPS mode-specific error, it's likely trying to use a cryptographic algorithm that is not allowed. For instance, FIPS mode does not permit RSA 1024-bit keys, but it does allow RSA 2048-bit keys (per FIPS-186-5, section 5.1).

The following example demonstrates how an application fails when using a prohibited RSA 1024-bit key size:

$ ruby -ropenssl -e 'OpenSSL::PKey::RSA.generate(1024); puts "OK"'
/usr/share/ruby/openssl/pkey.rb:344:in `generate_key': EVP_PKEY_keygen: invalid modulus (OpenSSL::PKey::PKeyError)
 from /usr/share/ruby/openssl/pkey.rb:344:in `generate'
 from -e:1:in `<main>'

You can fix this error by using an approved RSA 2048-bit key size:

$ ruby -ropenssl -e 'OpenSSL::PKey::RSA.generate(2048); puts "OK"'
OK

Forcing FIPS mode for testing

For testing purposes, Red Hat added the OPENSSL_FORCE_FIPS_MODE environment variable to RHEL's downstream OpenSSL RPM. This variable lets you enable the OpenSSL FIPS module in a non-FIPS environment.

$ export OPENSSL_FORCE_FIPS_MODE=1

If you are already in RHEL FIPS mode, this variable is not necessary.

Wrapping up

You are now equipped with the basic knowledge to run your Ruby applications in FIPS mode on Red Hat Enterprise Linux. A key takeaway is that you can now run a recommended RHEL and Ruby version combination and verify your system environment. Most importantly, be vigilant about using FIPS-approved cryptographic algorithms and proactively testing for possible errors, like the prohibited use of RSA 1024-bit keys.

My ongoing contributions to the upstream Ruby OpenSSL project, along with other project members and contributors, are focusing on improving FIPS-specific tests in the CI. This is to ensure that Ruby remains a stable and security-focused choice for FIPS-compliant environments on RHEL.