Git over HTTPS - Evaluate FIPS compliance
We are trying to evaluate the effort involved in making GitLab FIPS compliant (&5104 (closed)). As part of this effort, we need to go through parts of GitLab that use encryption, in particular areas that utilize encryption in transit (over the wire). One of these areas is Git over HTTPS.
Guidelines
In general, all cryptographic ciphers need to utilize FIPS validated libraries. Both encryption and hashing functions need to use these libraries. (For example, MD5 is typically disabled on FIPS systems)
There is a section in the parent epic to share information, common libraries, tips/tricks, etc. on FIPS here: &5104 (closed)
Desired outcome
There are a few key items that would be helpful in evaluating the effort of FIPS compliance on this service/feature:
- High-level effort to become FIPS compliant, and general approach
- Whether we would need an alternate distribution, or other major packaging changes to support
- Any other cross-team impacts