Pages - Evaluate FIPS compliance
We are trying to evaluate the effort involved in making GitLab FIPS compliant (&5104 (closed)). As part of this effort, we need to go through parts of GitLab that use encryption, in particular areas that utilize encryption in transit (over the wire). One of these areas is GitLab Pages.
Guidelines
In general, all cryptographic ciphers need to utilize FIPS validated libraries. Both encryption and hashing functions need to use these libraries. (For example, MD5 is typically disabled on FIPS systems)
There is a section in the parent epic to share information, common libraries, tips/tricks, etc. on FIPS here: &5104 (closed)
Desired outcome
There are a few key items that would be helpful in evaluating the effort of FIPS compliance on this service/feature:
- High-level effort to become FIPS compliant, and general approach
- Whether we would need an alternate distribution, or other major packaging changes to support
- Any other cross-team impacts
Outcome
From #296016 (comment 488529832)
- High-level effort to become FIPS compliant, and general approach
- as you mentioned we can just switch to
go toolset
and that should be enough, right?
- as you mentioned we can just switch to
- Whether we would need an alternate distribution, or other major packaging changes to support
-
Reading from #296017 (comment 487842290):
another drawback of
goboring
is that it doesn’t support4096
bytes long RSA keys which are used for TLS authenticationI think it forces us to create an alternative distribution because pages need to support custom domain certificates which may use such keys.
-
- Any other cross-team impacts
- If we need a separate binary, we'll probably need some support from the distribution team. (Separate omnibus built, separate helm charts)
Next steps
- create an epic for making pages FIPS compliant
- create a research issue for trying to compile pages with
go toolset
and testing pages - close this particular issue since we seem to have answered the main questions