rustls::manual

Module _06_fips

Source
Expand description

This section provides guidance on using rustls with FIPS-approved cryptography.

§Using rustls with FIPS-approved cryptography

To use FIPS-approved cryptography with rustls, you should take these actions:

§1. Enable the fips crate feature for rustls.

Use:

rustls = { version = "0.23", features = [ "fips" ] }

§2. Use the FIPS CryptoProvider

This is default_fips_provider():

rustls::crypto::default_fips_provider()
    .install_default()
    .expect("default provider already set elsewhere");

This snippet makes use of the process-default provider, and that assumes all your uses of rustls use that. See CryptoProvider documentation for other ways to specify which CryptoProvider to use.

§3. Validate the FIPS status of your ClientConfig/ServerConfig at run-time

See ClientConfig::fips() or ServerConfig::fips().

You could, for example:

assert!(client_config.fips());

But maybe your application has an error handling or health-check strategy better than panicking.

§aws-lc-rs FIPS approval status

This is covered by FIPS 140-3 certificate #4816. See the security policy for precisely which environments and functions this certificate covers.

Later releases of aws-lc-rs may be covered by later certificates, or be pending certification.

For the most up-to-date details see the latest documentation for the aws-lc-fips-sys crate.