There are two methods that I’m aware of to run a FIPS 140-2 compliant Go web server. See the first post in this series to see why this might be necessary. One approach is to use a FIPS 140-2 compliant SSL terminating proxy and place it in front of the Go application. I wrote an earlier post that covers how to do this and provides a Docker container for demonstration.
If the opportunity arises, I would like to use Go as the language for a new project in the defense industry. This means I would need to be able to make the product compliant with the Application Security & Development STIG. To lay some of that groundwork before I need it, this is the first in a series of articles discussing getting over the major hurdles on building a Go application that could be put on a defense network.
FIPS 140-2 is a government security standard used to approve cryptographic modules. It’s important to recognize that just because you’re using an algorithm that is valid, unless the module itself (i.e. binary or source code) has been evaluated under the FIPS 140-2 standard, then you’re not compliant with the standard. Thankfully OpenSSL provides an open source FIPS 140-2 compliant module, that if built and used precisely per their instructions is compliant.