We at Snow Software use EventStore in some of the company’s projects and are excited about the capabilities of the product. However, some of our customers are obliged to run machines in FIPS-140-2 enforcing (compliant) mode. It forbids usage of any incompliant implementations of cryptographic algorithms, and MD5 hashing is among them.
When we start EventStore on such machine, we see the issues caused by MD5 in:
A possible solution would be to replace MD5 with SHA1 or another compliant encryption algorithm implementation.
Have you faced a similar problem before, and what’s your view on FIPS compliance for Event Store?
We consider forking the project and researching changes required to run it on a machine that runs in FIPS compliant mode. Would you be interested in this contribution and possibly incorporate it into the project’s main branch?
Are you aware of any challenges or blockers that can make this hard to achieve?