Anyone dealt with FIPS compliance?

My company is requiring FIPS requirements in all of its applications. That means no MD5, which Ember-cli appears to use (at least in our ember 3.24 app).

I may be able to get an exception for this since it’s build code, but would rather just get it working.

Here’s the failure we are seeing digital envelope routines:EVP_DigestInit_ex:disabled for FIPS at new Hash (node:internal/crypto/hash:69:19) at Object.createHash (node:crypto:133:10) at md5 (/home/jenkins/workspace/myapp/node_modules/leek/lib/md5.js:7:12) at new Leek (/home/jenkins/workspace/mayapp/node_modules/leek/lib/leek.js:35:41) at module.exports (/home/jenkins/workspace/myapp/node_modules/ember-cli/lib/cli/index.js:122:16) at Object. (/home/jenkins/workspace/myapp/node_modules/ember-cli/bin/ember:34:1) at Module._compile (node:internal/modules/cjs/loader:1356:14) at Module._extensions…js (node:internal/modules/cjs/loader:1414:10) at Module.load (node:internal/modules/cjs/loader:1197:32) at Module._load (node:internal/modules/cjs/loader:1013:12) { library: ‘digital envelope routines’, function: ‘EVP_DigestInit_ex’, reason: ‘disabled for FIPS’, code: ‘ERR_OSSL_EVP_DISABLED_FOR_FIPS’

If Leek is the lib you’re concerned about, it was used solely for analytics purposes (and analysis solely of information how how ember-cli was being used in builds). But it wasn’t removed until Ember-CLI 5.4 so you may have to back port that change if you really need it to not be part of your tooling: [ENHANCEMENT] Remove all telemetry by bertdeblock · Pull Request #10353 · ember-cli/ember-cli · GitHub

1 Like