Skip to content

enhance: enable OpenSSL FIPS mode for Milvus#48331

Merged
sre-ci-robot merged 1 commit intomilvus-io:masterfrom
XuanYang-cn:fips
Mar 23, 2026
Merged

enhance: enable OpenSSL FIPS mode for Milvus#48331
sre-ci-robot merged 1 commit intomilvus-io:masterfrom
XuanYang-cn:fips

Conversation

@XuanYang-cn
Copy link
Copy Markdown
Contributor

@XuanYang-cn XuanYang-cn commented Mar 18, 2026

Layer 2 (OpenSSL FIPS) changes:

  • Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in boring_enabled.go (gated by //go:build boringcrypto)
  • Add openssl-fips.cnf with fips + default providers and default_properties = fips=yes
  • Use absolute .include path for fipsmodule.cnf — OpenSSL resolves relative .include from the process working directory, not the config file's directory, causing silent FIPS provider load failure
  • Add RAND_bytes probe after config load to verify the FIPS provider is truly functional (EVP_default_properties_is_fips_enabled only checks the property string, not whether the provider loaded)
  • Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
  • Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:

  • Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
  • Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:

  • Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL 3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: #48202, #48301

@sre-ci-robot sre-ci-robot added size/L Denotes a PR that changes 100-499 lines. area/compilation labels Mar 18, 2026
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 18, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
e2fa8ed 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@mergify mergify bot added dco-passed DCO check passed. kind/enhancement Issues or changes related to enhancement labels Mar 18, 2026
@sre-ci-robot
Copy link
Copy Markdown
Contributor

sre-ci-robot commented Mar 18, 2026

[ci-v2-notice]
Notice: New ci-v2 system is enabled for this PR.

To rerun ci-v2 checks, comment with:

  • /ci-rerun-code-check // for ci-v2/code-check
  • /ci-rerun-build // for ci-v2/build
  • /ci-rerun-build-all // for ci-v2/build-all (multi-arch builds)
  • /ci-rerun-build-env // for ci-v2/build-env (build milvus-env builder images)
  • /ci-rerun-ut-integration // for ci-v2/ut-integration, will rerun ci-v2/build
  • /ci-rerun-ut-go // for ci-v2/ut-go, will rerun ci-v2/build
  • /ci-rerun-ut-cpp // for ci-v2/ut-cpp
  • /ci-rerun-ut // for all ci-v2/ut-integration, ci-v2/ut-go, ci-v2/ut-cpp, will rerun ci-v2/build
  • /ci-rerun-e2e-arm // for ci-v2/e2e-arm
  • /ci-rerun-e2e-default // for ci-v2/e2e-default
  • /ci-rerun-ciloop // for ci-v2/ciloop (build + unit tests in one pipeline)

If you have any questions or requests, please contact @zhikunyao.

@XuanYang-cn XuanYang-cn mentioned this pull request Mar 18, 2026
Merged
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 18, 2026

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 44.44444% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 77.50%. Comparing base (d8f0811) to head (62d5186).
⚠️ Report is 16 commits behind head on master.

Files with missing lines Patch % Lines
internal/core/src/common/init_c.cpp 0.00% 5 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #48331      +/-   ##
==========================================
- Coverage   77.52%   77.50%   -0.03%     
==========================================
  Files        2107     2107              
  Lines      348923   348932       +9     
==========================================
- Hits       270501   270432      -69     
- Misses      70161    70221      +60     
- Partials     8261     8279      +18
Components Coverage Δ
Client 78.65% <ø> (-0.04%) ⬇️
Core 83.94% <0.00%> (-0.01%) ⬇️
Go 75.66% <100.00%> (-0.03%) ⬇️
Files with missing lines Coverage Δ
internal/datanode/index/init_segcore.go 88.46% <100.00%> (+0.46%) ⬆️
internal/util/initcore/query_node.go 79.06% <100.00%> (+0.32%) ⬆️
internal/core/src/common/init_c.cpp 0.00% <0.00%> (ø)

... and 31 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@sre-ci-robot sre-ci-robot added the low-code-coverage add test-label from zhikun, diff coverage > 80% label Mar 18, 2026
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 18, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
640cf7d 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@sre-ci-robot sre-ci-robot removed the low-code-coverage add test-label from zhikun, diff coverage > 80% label Mar 18, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 18, 2026

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

@sre-ci-robot sre-ci-robot added the low-code-coverage add test-label from zhikun, diff coverage > 80% label Mar 18, 2026
@XuanYang-cn
Copy link
Copy Markdown
Contributor Author

XuanYang-cn commented Mar 19, 2026

rerun go-sdk

@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Mar 19, 2026

@XuanYang-cn go-sdk check failed, comment rerun go-sdk can trigger the job again.

XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 19, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
54dc0c7 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 19, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
c6c8e47 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 19, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
18c6790 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
5f676c7 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn
enhance: enable OpenSSL FIPS mode for Milvus
0f0c216 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage (#9)

Add CRC32C checksum validation for MinIO/S3 PutObject requests and
  enhance TLS configuration for object storage connections.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
62d5186 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
  relative .include from the process working directory, not the config
  file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider
  is truly functional (EVP_default_properties_is_fips_enabled only
  checks the property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@sre-ci-robot sre-ci-robot removed the low-code-coverage add test-label from zhikun, diff coverage > 80% label Mar 20, 2026
@mergify mergify bot added the ci-passed label Mar 20, 2026
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 20, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
6e5e06c 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@tedxu
Copy link
Copy Markdown
Contributor

tedxu commented Mar 23, 2026

/lgtm
/approve

@sre-ci-robot
Copy link
Copy Markdown
Contributor

sre-ci-robot commented Mar 23, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tedxu, XuanYang-cn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sre-ci-robot sre-ci-robot merged commit c54b34a into milvus-io:master Mar 23, 2026
16 of 20 checks passed
@XuanYang-cn XuanYang-cn deleted the fips branch March 23, 2026 09:19
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Mar 24, 2026
@XuanYang-cn
enhance: enable OpenSSL FIPS mode for Milvus
1e5deae 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage (#9)

Add CRC32C checksum validation for MinIO/S3 PutObject requests and
  enhance TLS configuration for object storage connections.

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
@NicoYuan1986 NicoYuan1986 mentioned this pull request Mar 24, 2026
Closed
sre-ci-robot pushed a commit that referenced this pull request Mar 24, 2026
@XuanYang-cn
enhance: enable OpenSSL FIPS mode for Milvus (#48332)
5e6ae26 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: #48202, #48301
pr: #48331

---------

Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
houseme pushed a commit to heihutu/milvus that referenced this pull request Mar 31, 2026
@XuanYang-cn @claude @heihutu
enhance: enable OpenSSL FIPS mode for Milvus (milvus-io#48331)
3e13a43 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301

Signed-off-by: yangxuan <xuan.yang@zilliz.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: heihutu <heihutu@gmail.com>
houseme pushed a commit to heihutu/milvus that referenced this pull request Mar 31, 2026
@XuanYang-cn @heihutu
enhance: enable OpenSSL FIPS mode for Milvus (milvus-io#48331)
3bea4e6 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
default_properties = fips=yes
- Use absolute .include path for fipsmodule.cnf — OpenSSL resolves
relative .include from the process working directory, not the config
file's directory, causing silent FIPS provider load failure
- Add RAND_bytes probe after config load to verify the FIPS provider is
truly functional (EVP_default_properties_is_fips_enabled only checks the
property string, not whether the provider loaded)
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via
EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on
MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py. s2n 1.4.1
only detects FIPS via the legacy OPENSSL_FIPS define (not set by OpenSSL
3.x). s2n 1.6.0 adds EVP_default_properties_is_fips_enabled() detection
so s2n enters FIPS mode and uses RAND_bytes() through the FIPS provider.

See also: milvus-io#48202, milvus-io#48301


Signed-off-by: XuanYang-cn <xuan.yang@zilliz.com>
XuanYang-cn added a commit to XuanYang-cn/milvus that referenced this pull request Apr 2, 2026
@XuanYang-cn @claude
enhance: enable OpenSSL FIPS mode for Milvus
5426b8f 
Layer 2 (OpenSSL FIPS) changes:
- Add programmatic FIPS activation via OSSL_LIB_CTX_load_config in
  boring_enabled.go (gated by //go:build boringcrypto)
- Add openssl-fips.cnf with fips + default providers and
  default_properties = fips=yes
- Dockerfiles: add openssl fipsinstall + OPENSSL_MODULES env var
- Log OpenSSL FIPS status from C++ via EVP_default_properties_is_fips_enabled

Layer 1 (Go BoringCrypto) changes:
- Add GOEXPERIMENT=boringcrypto build flag (conditional on MILVUS_FIPS_ENABLED=ON)
- Add boringEnabled() build-tagged functions for startup logging

s2n-tls upgrade:
- Override s2n 1.4.1 (from aws-c-io) to 1.6.0 in conanfile.py.
  s2n 1.4.1 only detects FIPS via the legacy OPENSSL_FIPS define
  (not set by OpenSSL 3.x). s2n 1.6.0 adds
  EVP_default_properties_is_fips_enabled() detection so s2n enters
  FIPS mode and uses RAND_bytes() through the FIPS provider.

enhance: add CRC32C checksum and TLS support for object storage

See also: milvus-io#48202, milvus-io#48301
pr: milvus-io#48331

Co-Authored-By: Claude Opus <noreply@anthropic.com>
Signed-off-by: jiaqizho <jiaqi.zhou@zilliz.com>
Signed-off-by: yangxuan <xuan.yang@zilliz.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@czs007 czs007 Awaiting requested review from czs007

@godchen0212 godchen0212 Awaiting requested review from godchen0212

Assignees

@tedxu tedxu

Labels

approved area/compilation ci-passed dco-passed DCO check passed. kind/enhancement Issues or changes related to enhancement lgtm size/L Denotes a PR that changes 100-499 lines.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@XuanYang-cn @sre-ci-robot @tedxu