Fluxheim 1.3.5

Fluxheim 1.3.5 Release Notes

Status

Fluxheim 1.3.5 adds the rustls/AWS-LC FIPS-capable candidate path for source
builds and release evidence.

Highlights

• Added a rustls/AWS-LC FIPS-capable candidate backend through
  tls-rustls-fips.
• Added profile-fips-rustls and profile-iso19790-rustls as narrow
  validation aliases for rustls/AWS-LC FIPS and ISO/IEC 19790 terminology.
• Added tls-rustls-iso19790 as the raw ISO/IEC 19790 terminology alias for
  tls-rustls-fips.
• Refactored rustls TLS setup so normal rustls builds keep the ring provider
  while rustls FIPS candidate builds install/pass
  rustls::crypto::default_fips_provider().
• Added rustls FIPS provider diagnostics to fluxheim crypto and
  fluxheim-config-tester --crypto.
• Added examples/fips-rustls.toml, examples/iso19790-rustls.toml, and
  scripts/validate-fips-rustls.sh.
• Added per-backend release evidence skips, --skip-fips-openssl and
  --skip-fips-rustls, for builders that collect OpenSSL and rustls/AWS-LC
  evidence in different environments.

Compliance Boundary

This release does not claim that Fluxheim is FIPS certified or ISO/IEC 19790
validated. The rustls path is a source-build candidate that can make Fluxheim's
TLS listener use rustls' AWS-LC FIPS provider path and fail closed when
[tls.fips] required = true or [tls.iso19790] required = true is configured.

Operators still need the exact AWS-LC module certificate, Security Policy,
platform match, build procedure, deployment records, and non-TLS crypto
evidence before making regulated claims.

The rustls/AWS-LC FIPS candidate build requires the aws-lc-fips-sys toolchain,
including CMake, Go, and a C compiler.

This path intentionally adds a native C/assembly cryptographic module boundary.
It is not a pure-Rust FIPS claim: operators must collect evidence for the exact
validated AWS-LC module, toolchain, platform, and module Security Policy.
Fluxheim fails closed if a FIPS/ISO-required rustls listener cannot report
rustls FIPS mode; the vendored Pingora listener keeps a final panic assertion
with structured context after Fluxheim's normal provider and TLS-policy checks.

Example

cargo build --release --no-default-features --features profile-fips-rustls
scripts/validate-fips-rustls.sh check

Use profile-iso19790-rustls when the operator-facing evidence should use
ISO/IEC 19790 terminology. It maps to the same rustls/AWS-LC FIPS candidate
logic.

For release-mode evidence, use an AWS-LC-supported FIPS builder. Newer rolling
distribution compilers can fail inside aws-lc-fips-sys; the validation helper
now fails early for known newer GCC/Clang families unless
FLUXHEIM_ALLOW_EXPERIMENTAL_AWS_LC_FIPS_TOOLCHAIN=1 is set for investigation
builds.

Checksums And Signatures

• Commit: 9bac5e405f7764dfaa056bef54c2b078faf414ee
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • e1c3dda311b09ece52dceaf1fc49ead1b1d328b2e5cdcc8ec8f1b6212463569b fluxheim-1.3.5.tar.gz
  • 8a3956965f4f96d4cf50b1a7b1a58c27f699397ee4e2b9654924de5eca902fb1 fluxheim-1.3.5.zip
• Binary checksums:
  • 4d4c0a3f2dc4c3184c302f1ab59ee068912ace2c4bc1ed891e2f7b3e8faf9a06 fluxheim-1.3.5-full-x86_64-linux.tar.gz
  • 84a56dfb03fe43046c44573ebce0bb693bd465ac6ed0b31a5fc1259680c67fca fluxheim-1.3.5-cache-x86_64-linux.tar.gz
  • 33b5019122deaac7c19436d9d5563ba1c95ef758f44c458b8daf716875e91791 fluxheim-1.3.5-proxy-x86_64-linux.tar.gz
  • 8bd53ef99f1e55d443cf0260fc6fa157ade64b785063ad34c077309ae1013909 fluxheim-1.3.5-php-x86_64-linux.tar.gz
  • 240afab03940501b48ef132fa1f266f99d1e30ad5f77a59105df2dbafc607041 fluxheim-1.3.5-config-tester-x86_64-linux.tar.gz
• SBOM checksums:
  • 5c42a526fe406fb94e0ef6e6e2ff733ee5c7c5a27ec03710793166b7c5bae712 fluxheim.spdx.json
  • f0219fb074b2b51992e6b6be210f4d54ee01bc33e13190ba43c9ca1f05a94663 fluxheim.cyclonedx.json
• Reproducible build:
  • 6e49ead4af4c2d98469f01f09895e9c903ded99d9a5ac97d24e0f4133609a2e9
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:2ffba54bb6425c9a6a70733f96769f48ce96ba545ccf107466d4f002d16b5898
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:514036576f040406e033b4d3f9f0c6a8366d753c9a00acd60fa35401c71475b5
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:43d543e73d7f466065b4ea001b2312c1080afe1264f20b3bf80172d85a50ccf9
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:854decbbb4754a32b76dc425026b8ce89dac9b13dfbe144acefd933a22d468e2
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:40c9c92b955d0ea42191f72d6bd61c20223f5f96c998ac67dd3ace61f6db6b92
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:2a79ab39b5447918d2ae10e61e60f8b20d25d2854e26230b6c79f5758c9bf62c
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:7cc8b7439e08f04d21402d4adb35d02ba2eabc3ebbd1dcae8611c2982dd30605
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:3a3f17b415cd0a99797d428f809efd4e7ff541995b7d68ce4b210d42501691c9
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:5449d7acf115a23de7bf5725d1aa12322060388b7ff02f3783ea32f824fe4028
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:860bad86ba02855579009950d50c94daef6e75c0dfee8040046eadf60831bcbf
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:6d6669f8c5f4ddcb85583b43a288cfe23b4e3da8928a16d4bfa8b2e248e02a15
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:41d23d2b457f4bc2120873bf6ef33b766c0c83dc2f22978aaf892b91c7fa8261
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:a5684c410d60d6374f4599e8e64bd96f4940de184b696e53687c3a7977e1d112
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:7470e8466a3e22fcdfaf38ec96eac58c8669ea9119c23e7acaa1f5b152c1d7f6
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:5510dcd194783a9f3c17b2d17f801240a76939f96f1dcf312148a662b497d8e8
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:08f8d93769b215de6f6768b9f14a2b3f99c885fb9276ed2cc16ae1d60870bb83
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4