[Meta] FIPS support
FIPS compliance is a requirement for the US Govt to utilize a piece of software. It is required for any FISMA system, and cannot be waived.
In order for GitLab to be directly usable within the US Govt, we need to be compliant:
- Inventory all locations we use cryptography within GitLab (https://gitlab.com/gitlab-org/gitlab-ee/issues/4429). Add any missing items to the list below.
- Quickly determine path forward for FIPS compliance for each item. (e.g. OpenSSL FIPS, something else)
- Determine MVP. Initial proposal: Git over SSH/HTTPS, and HTTPS to console. (Note: not all features need to be FIPS compliant on the first release, if these features can be disabled like CI.)
Areas that utilize encryption:
- Git over SSH
- Git over HTTPS
- NGINX
- Rails/Sidekiq
- Auth modules (AD/LDAP, Kerberos, Omniauth)
- GitLab Pages daemon
- GitLab Runner
- Elasticsearch indexer
-
GitLab Workhorse
- Object storage proxy
- Web terminal proxy
Areas that use MD5SUMs:
- SSH key fingerprints: https://gitlab.com/gitlab-org/gitlab-ce/issues/20502 https://gitlab.com/gitlab-org/gitlab-ce/issues/37899
- License verification: https://gitlab.com/gitlab-org/gitlab-ee/blob/v10.5.0-ee/ee/app/models/license.rb#L205
- Omnibus verifies integrity of many sources using MD5: https://gitlab.com/gitlab-org/omnibus-gitlab/tree/master/config/software
Edited by Nick Thomas