Using the SDK with FIPS enabled #2645
Comments
phene
added
guidance
alextwoods
added
feature-request
|
Hey - yeah this is unfortunately a known limitation (see #2397). I wasn't aware of the |
|
Adding reference to #2645 as well... |
|
There are upcoming changes that will add support for using user defined/flexible checksums, see: #2667. This is just the start, as operations/services need to add support for this trait, but it does provide a path in the future for letting users avoid md5 and the http_checksum plugin. |
|
This is excellent! Thank you for the update. |
|
An now, with version 1.113.0 of |
|
|
@alextwoods I don't think this solves the |
|
Does #2706 solve the issue? i.e. using the |
|
@akostadinov That works for S3 -- We ended up solving the SQS issue by setting |
mullermp
added
service-api
|
I've created a parent issue in the aws-sdk repo, since this is a service API feature request. |
|
There appear to be a number of resources that require the use of
OpenSSL::Digest::MD5to operate:Since MD5 is not approved for use with FIPS, is there any plan to modify the APIs or SDK in order to work when FIPS is enabled?
As a point of comparison, botocore performs detection MD5 availability and sets a MD5_AVAILABLE constant. In a few places, it will not attempt to perform an MD5 digest (while others will raise an error).
Additionally, aws-cfn-bootstrap makes use of the
usedforsecurityoption tohashlib.new('md5')to allow the use of MD5 when not used for the purpose of security. This allows it to fetch objects from S3. I'm not aware of any similar option in Ruby's OpenSSL/Digest libraries, but maybe an alternative could be found.The text was updated successfully, but these errors were encountered: