Pages - Evaluate FIPS compliance

We are trying to evaluate the effort involved in making GitLab FIPS compliant (&5104 (closed)). As part of this effort, we need to go through parts of GitLab that use encryption, in particular areas that utilize encryption in transit (over the wire). One of these areas is GitLab Pages.

Guidelines

In general, all cryptographic ciphers need to utilize FIPS validated libraries. Both encryption and hashing functions need to use these libraries. (For example, MD5 is typically disabled on FIPS systems)

There is a section in the parent epic to share information, common libraries, tips/tricks, etc. on FIPS here: &5104 (closed)

Desired outcome

There are a few key items that would be helpful in evaluating the effort of FIPS compliance on this service/feature:

• High-level effort to become FIPS compliant, and general approach
• Whether we would need an alternate distribution, or other major packaging changes to support
• Any other cross-team impacts

Outcome

From #296016 (comment 488529832)

• High-level effort to become FIPS compliant, and general approach
  • as you mentioned we can just switch to go toolset and that should be enough, right?
• Whether we would need an alternate distribution, or other major packaging changes to support

  • Reading from #296017 (comment 487842290):

    another drawback of goboring is that it doesn’t support 4096 bytes long RSA keys which are used for TLS authentication

    I think it forces us to create an alternative distribution because pages need to support custom domain certificates which may use such keys.

• Any other cross-team impacts
  • If we need a separate binary, we'll probably need some support from the distribution team. (Separate omnibus built, separate helm charts)

Next steps

1. create an epic for making pages FIPS compliant
2. create a research issue for trying to compile pages with go toolset and testing pages
3. close this particular issue since we seem to have answered the main questions