Is NATS-server FIPS compliant

[JosephTharayil]

Hi Team,

Can i know if the nats-server is FIPS compliant, and what is the crypto library used?

Thanks,
Jo

[philpennock]

It is not FIPS compliant (assuming you mean the usual FIP 140-2 and 140-3). We use the Go native TLS stack. We have no current plans to support FIPS. Any company contributing to NATS is of course welcome to develop support and contribute it, but we'd view the contribution very carefully and it might not be merged.

There are enough problems with FIPS variants of the main TLS algorithms that we believe that FIPS support is detrimental to product security and dangerous to try to support. Such a deliberate weakening has knock-on consequences everywhere. So a contribution to provide a FIPS mode would need to address this concern. It's also been a while since I looked at this, so it's possible that our using a minimum version of TLS 1.2 means that a lot of the old problems are mitigated.

[ancientlore]

Has anyone tried GOEXPERIMENT=boringcrypto, which uses the FIPS validated boringcrypto to implement Go's crypto?

[derekcollison]

Yes we now have a FIPS compliant server using boring crypto for our government customers.

[jzhn]

Hi @derekcollison that's great news! Can you please provide more information about the FIPS compliant nats server? Do you plan to provide official build with boring crypto or customers have to build NATs on our own with GOEXPERIMENT=boringcrypto ?

An official guide like https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2 would help. Looks like this fits in the existing issue nats-io/nats.docs#475

Thanks.

[derekcollison]

Currently the FIPS server is a commercial offering.

[LyraHarring]

The NATS Server by default uses the Go standard crypto library, which is not FIPS 140-2 certified. However, NATS can be built with the Go boringcrypto module, which is a FIPS 140-2 validated cryptographic module, to meet compliance needs. This means NATS itself is not certified, but it can run in a FIPS-compliant mode if required. It guarantees that any devices and services they use comply with the highest security standard NIST sets. It provides a complete set of security procedures and principles to be followed while creating, storing, and processing sensitive data. For a clear explanation of FIPS 140-2, you can refer to this guide: (https://signmycode.com/blog/what-is-fips-detailed-guide-on-fips-140-2)
.