Will Erlang/OTP 25+ has plan to fully support FIPS ? This is very critical for us.
There is support for FIPS in the OTP 25 track but not in combination with OpenSSL 3.x.
We plan to support FIPS together with OpenSSL 3.x earliest in OTP 26.2 or maybe it has to wait until OTP 27.0 it is hard to say right now.
The major and required part of the job is to update the crypto application by removing the use of deprecated functions. That is, the functions that got deprecated in OpenSSL 3.0
1 Like
Thanks for your response.
I’m not sure if openssl 1.1.1 has already fully supported FIPS since there is no documentation found.
If so, can we manually build OTP 25 with openssl 1.1.1 version for the workaround (or OTP already provides openssl 1.1.1 integration) to enable TLSv1.3 functionalities ?
When building OTP in the configure step use the following flags
--enable-fips
--with-ssl=PATH - Specify base location of OpenSSL include and lib directories.
The last flag is only necessary if the fips compliant OpenSSL is located somewhere else than the standard place. And of course you must have a fips compliant version of OpenSSL.
Currently the --enable-fipsflag is missing in the installation manual which is a mistake which we will correct.
To get all configure options you can also goto the root of the OTP directory structure and run configure --help
Note that it is only the libcrypto from OpenSSL that we are dependent on.
1 Like
Very informative, Thank you !
1 Like