Re: Is envoy FIPS-140-3 compliant?

[Yan Avlasov]

FIPS compliant Envoy is built with the FIPS validated BoringSSL library. Here is the link of BoringSSL FIPS validation: https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

On Fri, Sep 1, 2023 at 2:44 AM 'Rajaram Gaunker' via envoy-users <envoy...@googlegroups.com> wrote:

Hi all

Is envoy FIPS-140-3 compliant?. I don't see anything in doc about FIPS-140-3. 

Any idea?. Does it all depend on boringSSL?

Thanks

--rajaram

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/71a1204c-b4b9-48ac-a5ed-814aea9026ccn%40googlegroups.com.

[Rajaram Gaunker]

Thanks, Yan, I saw the above page, but it talks about 140-2 and not about 140-3.

Envoy also talks only about 140-2  https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl .

Thanks

--rajaram

[Paul Merrison]

There is no FIPS 140-3 compliant version of BoringSSL, so the best Envoy can do is 140-2.  The CMVP in process list doesn't include a BoringSSL update (https://csrc.nist.gov/Projects/cryptographic-module-validation-program/modules-in-process/Modules-In-Process-List), so I don't think there'll be a 140-3 version in the foreseeable future (1-2 years)

thanks,

Paul