[erlang-questions] FIPS compliance

Drew Varner drew.varner@REDACTED
Tue Mar 15 08:06:34 CET 2016


Erlang's cryptography is not FIPS 140-2-certified. There was a pull request to add FIPS compliance via OpenSSL in FIPS mode, but it stalled [1]. 

Calls to OpenSSL's crypto canister must go through the Envelope (EVP) API calls. The crypto library in Erlang OTP 19 will use EVP calls (exclusively, I assume) [2]. However, EVP calls alone are not enough for FIPS 140-2 support.

If the only problem is terminating incoming HTTP requests, you may be able to get away with proxying the request through a FIPS 140-2 load balancer. rabbitmq-server calls crypto for password hashing. You'd need to replace calls to crypto with calls to a FIPS provider and look for calls made outside of crypto (BIFs like md5, phash). 

- Drew

[1] https://github.com/erlang/otp/pull/377
[2] http://youtu.be/YlNrWxH56_E

> On Mar 14, 2016, at 10:19 PM, Kapil Goyal <goyalk@REDACTED> wrote:
> Hi All,
> We use RabbitMQ and are working on running it in FIPS compliance. According to a post on RMQ forum (https://groups.google.com/forum/#!topic/rabbitmq-users/wUzUjgDQ9M8), Erlang is not FIPS compliance. Is this correct? If so, are there plans to be compliant in near future?
> Thanks
> Kapil
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20160315/ae3d8a0c/attachment.htm>

More information about the erlang-questions mailing list