Skip to content

enhance: enable Go BoringCrypto (FIPS 140-2) for milvus binary#48202

Closed
XuanYang-cn wants to merge 2 commits intomilvus-io:2.6from
XuanYang-cn:fips
Closed

enhance: enable Go BoringCrypto (FIPS 140-2) for milvus binary#48202
XuanYang-cn wants to merge 2 commits intomilvus-io:2.6from
XuanYang-cn:fips

Conversation

@XuanYang-cn
Copy link
Copy Markdown
Contributor

@XuanYang-cn XuanYang-cn commented Mar 11, 2026

  • Add GOEXPERIMENT=boringcrypto to build-go target in Makefile
  • Log BoringCrypto status in startup banner via build-tagged files
  • Copy ossl-modules/fips.so to lib/ during install (was missing)
  • Ship openssl-fips.cnf for OpenSSL FIPS provider activation

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com
Signed-off-by: yangxuan xuan.yang@zilliz.com

@sre-ci-robot
Copy link
Copy Markdown
Contributor

sre-ci-robot commented Mar 11, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: XuanYang-cn
To complete the pull request process, please assign congqixia after the PR has been reviewed.
You can assign the PR to them by writing /assign @congqixia in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sre-ci-robot sre-ci-robot added size/M Denotes a PR that changes 30-99 lines. area/compilation labels Mar 11, 2026
@mergify mergify bot added the dco-passed DCO check passed. label Mar 11, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 11, 2026

@XuanYang-cn Please associate the related pr of master to the body of your Pull Request. (eg. "pr: #")

@mergify mergify bot added do-not-merge/missing-related-pr kind/enhancement Issues or changes related to enhancement labels Mar 11, 2026
@sre-ci-robot sre-ci-robot added the do-not-merge/need-merge-master-first any pr merge to release branch need to merge master first label Mar 11, 2026
@sre-ci-robot
Copy link
Copy Markdown
Contributor

sre-ci-robot commented Mar 11, 2026

[ci-v2-notice]
Notice: New ci-v2 system is enabled for this PR.

To rerun ci-v2 checks, comment with:

  • /ci-rerun-code-check // for ci-v2/code-check
  • /ci-rerun-build // for ci-v2/build
  • /ci-rerun-build-all // for ci-v2/build-all (multi-arch builds)
  • /ci-rerun-ut-integration // for ci-v2/ut-integration, will rerun ci-v2/build
  • /ci-rerun-ut-go // for ci-v2/ut-go, will rerun ci-v2/build
  • /ci-rerun-ut-cpp // for ci-v2/ut-cpp
  • /ci-rerun-ut // for all ci-v2/ut-integration, ci-v2/ut-go, ci-v2/ut-cpp, will rerun ci-v2/build
  • /ci-rerun-e2e-arm // for ci-v2/e2e-arm
  • /ci-rerun-e2e-default // for ci-v2/e2e-default
  • /ci-rerun-ciloop // for ci-v2/ciloop (build + unit tests in one pipeline)

If you have any questions or requests, please contact @zhikunyao.

@sre-ci-robot sre-ci-robot added the do-not-merge/need-milestone generate by v2-label-manager label Mar 11, 2026
@sre-ci-robot
Copy link
Copy Markdown
Contributor

sre-ci-robot commented Mar 11, 2026

[INFO] PR Label Summary by Default
[WARNING] No dependent PR reference found

  • Target branch '2.6' requires a PR merged to master first
  • Please add reference in format 'pr: #number'

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 11, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.69%. Comparing base (3653722) to head (aa04807).
⚠️ Report is 13 commits behind head on 2.6.

❌ Your project status has failed because the head coverage (74.69%) is below the target coverage (77.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##              2.6   #48202      +/-   ##
==========================================
- Coverage   74.70%   74.69%   -0.02%     
==========================================
  Files        1414     1414              
  Lines      221741   221745       +4     
==========================================
- Hits       165645   165623      -22     
- Misses      48556    48580      +24     
- Partials     7540     7542       +2
Components Coverage Δ
Client 78.45% <ø> (ø)
Core ∅ <ø> (∅)
Go 75.69% <100.00%> (-0.02%) ⬇️
Files with missing lines Coverage Δ
internal/datanode/index/init_segcore.go 88.46% <100.00%> (+0.46%) ⬆️
internal/util/initcore/query_node.go 78.57% <100.00%> (+0.34%) ⬆️

... and 30 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sre-ci-robot sre-ci-robot added low-code-coverage add test-label from zhikun, diff coverage > 80% and removed low-code-coverage add test-label from zhikun, diff coverage > 80% labels Mar 11, 2026
XuanYang-cn and others added 2 commits March 12, 2026 10:56
@XuanYang-cn
enhance: make openSLL load FIPS
970223a 
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@XuanYang-cn @claude
enhance: enable Go BoringCrypto (FIPS 140-2) for milvus binary
aa04807 
- Add GOEXPERIMENT=boringcrypto to build-go target in Makefile
- Log BoringCrypto status in startup banner via build-tagged files
- Copy ossl-modules/fips.so to lib/ during install (was missing)
- Ship openssl-fips.cnf for OpenSSL FIPS provider activation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@sre-ci-robot
Copy link
Copy Markdown
Contributor

sre-ci-robot commented Mar 12, 2026

[INFO] PR Label Summary by Default
[WARNING] No dependent PR reference found

  • Target branch '2.6' requires a PR merged to master first
  • Please add reference in format 'pr: #number'

[WARNING] Milestone not set

You can set milestone by commenting:
/set-milestone
Example:
/set-milestone 2.5.0

Use /refresh-label to update related check and label manually

@sre-ci-robot sre-ci-robot added low-code-coverage add test-label from zhikun, diff coverage > 80% and removed low-code-coverage add test-label from zhikun, diff coverage > 80% labels Mar 12, 2026
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 18, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
aad2d13 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@XuanYang-cn XuanYang-cn deleted the fips branch March 18, 2026 07:03
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 18, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
78d2259 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@XuanYang-cn XuanYang-cn mentioned this pull request Mar 18, 2026
Merged
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 18, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
e2fa8ed 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@XuanYang-cn XuanYang-cn mentioned this pull request Mar 18, 2026
Merged
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 18, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
640cf7d 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 19, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
54dc0c7 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 19, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
c6c8e47 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 19, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
18c6790 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
5f676c7 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn
enhance: enable OpenSSL FIPS mode for Milvus
0f0c216 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage (#9)

Add CRC32C checksum validation for MinIO/S3 PutObject requests and
  enhance TLS configuration for object storage connections.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
62d5186 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
6e5e06c 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
sre-ci-robot pushed a commit that referenced this pull request Mar 23, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus (#48331)
c54b34a 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: #48202, #48301

Signed-off-by: yangxuan <xuan.yang@zilliz.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 24, 2026
@XuanYang-cn
enhance: enable OpenSSL FIPS mode for Milvus
1e5deae 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage (#9)

Add CRC32C checksum validation for MinIO/S3 PutObject requests and
  enhance TLS configuration for object storage connections.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
sre-ci-robot pushed a commit that referenced this pull request Mar 24, 2026
@XuanYang-cn
enhance: enable OpenSSL FIPS mode for Milvus (#48332)
5e6ae26 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: #48202, #48301
pr: #48331

---------

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
houseme pushed a commit to heihutu/milvus that referenced this pull request Mar 31, 2026
@XuanYang-cn @claude @heihutu
enhance: enable OpenSSL FIPS mode for Milvus (milvus-io#48331)
3e13a43 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301

Signed-off-by: yangxuan <xuan.yang@zilliz.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: heihutu <heihutu@gmail.com>
houseme pushed a commit to heihutu/milvus that referenced this pull request Mar 31, 2026
@XuanYang-cn @heihutu
enhance: enable OpenSSL FIPS mode for Milvus (milvus-io#48331)
3bea4e6 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301


Signed-off-by: XuanYang-cn <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Apr 2, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
5426b8f 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bigsheeper bigsheeper Awaiting requested review from bigsheeper

@czs007 czs007 Awaiting requested review from czs007

Assignees

No one assigned

Labels

area/compilation dco-passed DCO check passed. do-not-merge/missing-related-pr do-not-merge/need-merge-master-first any pr merge to release branch need to merge master first do-not-merge/need-milestone generate by v2-label-manager kind/enhancement Issues or changes related to enhancement size/M Denotes a PR that changes 30-99 lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@XuanYang-cn @sre-ci-robot