Enable FIPS 140-3 compliant crypto by default (#7590)
* Enable FIPS 140-3 compliant crypto by default Addresses #6889 - Enable GOEXPERIMENT=systemcrypto by default in all Makefiles - Enable GOEXPERIMENT=systemcrypto by default in all Dockerfiles - Go 1.24+ has native FIPS 140-3 support via this setting - Users can disable by setting GOEXPERIMENT= (empty) Algorithms used (all FIPS approved): - AES-256-GCM for data encryption - AES-256-CTR for SSE-C - HMAC-SHA256 for S3 signatures - TLS 1.2/1.3 for transport encryption * Fix: Remove invalid GOEXPERIMENT=systemcrypto Go 1.24 uses GODEBUG=fips140=on at runtime, not GOEXPERIMENT at build time. - Remove GOEXPERIMENT=systemcrypto from all Makefiles - Remove GOEXPERIMENT=systemcrypto from all Dockerfiles FIPS 140-3 mode can be enabled at runtime: GODEBUG=fips140=on ./weed server ... * Add FIPS 140-3 support enabled by default Addresses #6889 - FIPS 140-3 mode is ON by default in Docker containers - Sets GODEBUG=fips140=on via entrypoint.sh - To disable: docker run -e GODEBUG=fips140=off ...
This commit is contained in:
Chris Lu
@@ -1,5 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Enable FIPS 140-3 mode by default (Go 1.24+)
|
||||
# To disable: docker run -e GODEBUG=fips140=off ...
|
||||
export GODEBUG="${GODEBUG:+$GODEBUG,}fips140=on"
|
||||
|
||||
# Fix permissions for mounted volumes
|
||||
# If /data is mounted from host, it might have different ownership
|
||||
# Fix this by ensuring seaweed user owns the directory
|
||||
|
||||
Reference in New Issue
Block a user