[erlang-questions] FIPS compliance
Tue Mar 15 08:06:34 CET 2016
Erlang's cryptography is not FIPS 140-2-certified. There was a pull request to add FIPS compliance via OpenSSL in FIPS mode, but it stalled .
Calls to OpenSSL's crypto canister must go through the Envelope (EVP) API calls. The crypto library in Erlang OTP 19 will use EVP calls (exclusively, I assume) . However, EVP calls alone are not enough for FIPS 140-2 support.
If the only problem is terminating incoming HTTP requests, you may be able to get away with proxying the request through a FIPS 140-2 load balancer. rabbitmq-server calls crypto for password hashing. You'd need to replace calls to crypto with calls to a FIPS provider and look for calls made outside of crypto (BIFs like md5, phash).
> On Mar 14, 2016, at 10:19 PM, Kapil Goyal <goyalk@REDACTED> wrote:
> Hi All,
> We use RabbitMQ and are working on running it in FIPS compliance. According to a post on RMQ forum (https://groups.google.com/forum/#!topic/rabbitmq-users/wUzUjgDQ9M8), Erlang is not FIPS compliance. Is this correct? If so, are there plans to be compliant in near future?
> erlang-questions mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the erlang-questions