Skip to content

FIPS 140-3 mode support#7409

Merged
neilalexander merged 1 commit intomainfrom
neil/fips140
Oct 9, 2025
Merged

FIPS 140-3 mode support#7409
neilalexander merged 1 commit intomainfrom
neil/fips140

Conversation

@neilalexander
Copy link
Copy Markdown
Member

@neilalexander neilalexander commented Oct 9, 2025
edited
Loading

When enabling FIPS 140-3 mode with GODEBUG=gofips=X on supported platforms, the following restrictions are made to allow NATS to function:

  1. auth_callout cannot be configured and will error at startup if it is;
  2. chacha filestore encryption mode cannot be configured and will error at startup if it is;
  3. X25519 is removed from the default curve preferences;
  4. TLS handshakes that require non-FIPS-compliant algorithms will fail.

Fixes #7406.

Signed-off-by: Neil Twigg neil@nats.io

@neilalexander
FIPS 140-3 mode support
5b487fc 
When enabling FIPS 140-3 mode with `GODEBUG=gofips=X` on supported platforms,
the following restrictions are made to allow NATS to function:

1. `auth_callout` cannot be configured and will error at startup if it is;
2. `chacha` filestore encryption mode cannot be configured and will
   error at startup if it is;
3. `X25519` is removed from the default curve preferences;
4. TLS handshakes that require non-FIPS-compliant algorithms will fail.

Signed-off-by: Neil Twigg <neil@nats.io>
@neilalexander neilalexander marked this pull request as ready for review October 9, 2025 12:21
@neilalexander neilalexander requested a review from a team as a code owner October 9, 2025 12:21
MauriceVanVeen
MauriceVanVeen approved these changes Oct 9, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@MauriceVanVeen MauriceVanVeen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@neilalexander neilalexander merged commit 16bad96 into main Oct 9, 2025
67 of 70 checks passed
@neilalexander neilalexander deleted the neil/fips140 branch October 9, 2025 12:45
@neilalexander neilalexander mentioned this pull request Oct 10, 2025
Merged
neilalexander added a commit that referenced this pull request Oct 10, 2025
@neilalexander
Cherry-picks for v2.12.1-RC.4 (#7415)
0ddd67e 
Includes the following:

- #7400
- #7399
- #7401
- #7402
- #7404
- #7405
- #7409
- #7413

Signed-off-by: Neil Twigg <neil@nats.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MauriceVanVeen MauriceVanVeen MauriceVanVeen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

FIPS approved crypto for NATS server xkey

2 participants

@neilalexander @MauriceVanVeen