exalate-issue-sync[bot]
commented
1 year ago Mike Lewis (mikeCRL) commented: linville PTAL. And thank you, Ben.
Open bdarnell opened 1 year ago
exalate-issue-sync[bot]
commented
1 year ago Mike Lewis (mikeCRL) commented: linville PTAL. And thank you, Ben.
Ben Darnell (bdarnell) commented:
Page: https://cockroachlabs.com/docs/v23.1/fips.html
What is the reason for your feedback?
[x] Something is broken
Additional details
Two issues:
Under "Use the FIPS-ready CockroachDB Docker image", step 2, the link "Releases" goes to the general releases page which does not include fips-ready builds or docker image names. Instead it should link to the
#production-releasestable on the same page.The "Encryption/In-flight" section describes the ciphers used in standard builds, but FIPS builds are different. In particular, CHACHA20 is not a FIPS-approved cipher, so it's not supported in FIPS builds. I think the edits needed are to remove the two CHACHA20 variants from the TLS 1.2 list, and to replace the TLS 1.3 "list" link with TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384, (the Go list minus CHACHA20). I'm not sure how to best verify that we've got this correct (and I'm not sure if the OLD_CIPHER_SUITES env var works in FIPS mode, but I think it does).
Jira Issue: DOC-7769