Prevent 500 errors on FIPS systems when user password is too short (!208536) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

On Ubuntu 22.04 FIPS system, attempting to hash a password less than 8 characters results in:

OpenSSL::KDF::KDFError (PKCS5_PBKDF2_HMAC: invalid key length)

Previously the password length was only checked in a Devise validator, but this is too late for OpenSSL. Fix this by doing this check in Users::UpdateService.

Relates to https://gitlab.com/gitlab-com/request-for-help/-/issues/3526

References

Screenshots or screen recordings

How to set up and validate locally

Install Ubuntu 22.04 Pro FIPS system.
Install GitLab.
Attempt to change a password.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Oct 11, 2025 by Stan Hu

Prevent 500 errors on FIPS systems when user password is too short

What does this MR do and why?

References

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Merge request reports