Git over SSH - Evaluate FIPS compliance
We are trying to evaluate the effort involved in making GitLab FIPS compliant (&5104 (closed)). As part of this effort, we need to go through parts of GitLab that use encryption, in particular areas that utilize encryption in transit (over the wire). One of these areas is Git over SSH.
Guidelines
In general, all cryptographic ciphers need to utilize FIPS validated libraries. Both encryption and hashing functions need to use these libraries. (For example, MD5 is typically disabled on FIPS systems)
There is a section in the parent epic to share information, common libraries, tips/tricks, etc. on FIPS here: &5104 (closed)
Desired outcome
There are a few key items that would be helpful in evaluating the effort of FIPS compliance on this service/feature:
- High-level effort to become FIPS compliant, and general approach
- Whether we would need an alternate distribution, or other major packaging changes to support
- Any other cross-team impacts
Questions:
- Are we using encryption outside of the standard Go/Ruby libraries? (Either in-transit or at-rest)
- Are we using MD5 anywhere? This is unlikely to work on FIPS installations once linked against FIPS OpenSSL.
Edited by Sean Carroll