Module rustls::manual::_06_fips

source ·
Expand description

This section provides guidance on using rustls with FIPS-approved cryptography.

§Using rustls with FIPS-approved cryptography

To use FIPS-approved cryptography with rustls, you should take these actions:

§1. Enable the fips crate feature for rustls.

Use:

rustls = { version = "0.23", features = [ "fips" ] }

§2. Use the FIPS CryptoProvider

This is default_fips_provider():

rustls::crypto::default_fips_provider()
    .install_default()
    .expect("default provider already set elsewhere");

This snippet makes use of the process-default provider, and that assumes all your uses of rustls use that. See CryptoProvider documentation for other ways to specify which CryptoProvider to use.

§3. Validate the FIPS status of your ClientConfig/ServerConfig at run-time

See ClientConfig::fips() or ServerConfig::fips().

You could, for example:

assert!(client_config.fips());

But maybe your application has an error handling or health-check strategy better than panicking.

§aws-lc-rs FIPS approval status

At the time of writing, this is pending approval on Linux for two architectures (ARM aarch64 and Intel x86-64).

For the most up-to-date details see the latest documentation for the aws-lc-fips-sys crate.