nickva opened a new issue, #4442: URL: https://github.com/apache/couchdb/issues/4442
https://www.erlang.org/doc/apps/crypto/fips.html * The first step is to enable FIPS mode when compiling Erlang. That merely allows toggling it on / off if the underlying crypto library (OpenSSL) supports it. For our packaging we can do that here https://github.com/apache/couchdb-ci/pull/44. * Implement a runtime FIPS mode toggle. Currently we can enable it at compile time, however, that requires having two builds, two package flavors etc., Instead, use a runtime config option to toggle it. In [couch_hash](https://github.com/apache/couchdb/blob/main/src/couch/src/couch_hash.erl#L17-L45), to avoid a performance impact, use a persistent term to minimize config ETS lookups if performance degradation is of concern. * FIPS mode, when enabled is already exposed in the [features list](https://github.com/apache/couchdb/blob/main/src/couch/src/couch_server.erl#L277-L283). * Any places where TLS is used, would potentially need to reduce the list of advertised algorithms / curves / parameters to confirm to the FIPS approved list. If that's not done, it would lead to `unsupported` crashes and failures on every usage. A few places that might happen: - chttpd (mochiweb) TLS support - couch_replicator (ibrowse) - Erlang intra-node TLS -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
