Expand description
This section provides guidance on using rustls with FIPS-approved cryptography.
§Using rustls with FIPS-approved cryptography
To use FIPS-approved cryptography with rustls, you should take these actions:
§1. Enable the fips
crate feature for rustls.
Use:
rustls = { version = "0.23", features = [ "fips" ] }
§2. Use the FIPS CryptoProvider
This is default_fips_provider()
:
rustls::crypto::default_fips_provider()
.install_default()
.expect("default provider already set elsewhere");
This snippet makes use of the process-default provider,
and that assumes all your uses of rustls use that.
See CryptoProvider
documentation for other ways to
specify which CryptoProvider
to use.
§3. Validate the FIPS status of your ClientConfig
/ServerConfig
at run-time
See ClientConfig::fips()
or ServerConfig::fips()
.
You could, for example:
assert!(client_config.fips());
But maybe your application has an error handling or health-check strategy better than panicking.
§aws-lc-rs FIPS approval status
This is covered by FIPS 140-3 certificate #4816. See the security policy for precisely which environments and functions this certificate covers.
Later releases of aws-lc-rs may be covered by later certificates, or be pending certification.
For the most up-to-date details see the latest documentation
for the aws-lc-fips-sys
crate.