From fcfbec471073fb825d098ec16b42d22aaff2f7f3 Mon Sep 17 00:00:00 2001
From: Wade Simmons <wsimmons@slack-corp.com>
Date: Mon, 27 Apr 2026 16:43:35 -0400
Subject: [PATCH] log the fips140 mode and version

Requires go1.26 for fips140.Version()
---
 README.md    |  4 +++-
 fips140.go   | 17 +++++++++++++++++
 go.mod       |  2 +-
 interface.go |  3 +--
 4 files changed, 22 insertions(+), 4 deletions(-)
 create mode 100644 fips140.go

diff --git a/README.md b/README.md
index f27e0b5b..98476a29 100644
--- a/README.md
+++ b/README.md
@@ -156,13 +156,15 @@ make bin-boringcrypto
 make release-boringcrypto
 ```
 
-Nebula can also be built using the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets:
+Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (this must be set at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode).
 
 ```sh
 make fips140
 make fips140 release
 ```
 
+You will then also need to run nebula with `GODEBUG=fips140=only` to enable usage at runtime.
+
 This is not the recommended default deployment, but may be useful based on your compliance requirements.
 
 ## Credits
diff --git a/fips140.go b/fips140.go
new file mode 100644
index 00000000..1ed824c6
--- /dev/null
+++ b/fips140.go
@@ -0,0 +1,17 @@
+package nebula
+
+import (
+	"crypto/fips140"
+	"fmt"
+)
+
+func fips140version() string {
+	switch {
+	case fips140.Enforced():
+		return fmt.Sprintf("only,version=%s", fips140.Version())
+	case fips140.Enabled():
+		return fmt.Sprintf("on,version=%s", fips140.Version())
+	default:
+		return "off"
+	}
+}
diff --git a/go.mod b/go.mod
index 0de2df7d..6b6c142c 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/slackhq/nebula
 
-go 1.25.0
+go 1.26
 
 require (
 	dario.cat/mergo v1.0.2
diff --git a/interface.go b/interface.go
index f4dbfc19..7d6f90a7 100644
--- a/interface.go
+++ b/interface.go
@@ -2,7 +2,6 @@ package nebula
 
 import (
 	"context"
-	"crypto/fips140"
 	"errors"
 	"fmt"
 	"io"
@@ -234,7 +233,7 @@ func (f *Interface) activate() error {
 		"build", f.version,
 		"udpAddr", addr,
 		"boringcrypto", boringEnabled(),
-		"fips140", fips140.Enabled(),
+		"fips140", fips140version(),
 	)
 
 	if f.routines > 1 {