log the fips140 mode and version

Requires go1.26 for fips140.Version()

README.md

@@ -156,13 +156,15 @@ make bin-boringcrypto
 make release-boringcrypto
 ```
 
-Nebula can also be built using the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets:
+Nebula can also be built to support the [FIPS 140-3](https://go.dev/doc/security/fips140) mode of Go by running either of the following make targets. (this must be set at compile time so that the correct AES-GCM can be used for FIPS 140-3 enforcement mode).
 
 ```sh
 make fips140
 make fips140 release
 ```
 
+You will then also need to run nebula with `GODEBUG=fips140=only` to enable usage at runtime.
+
 This is not the recommended default deployment, but may be useful based on your compliance requirements.
 
 ## Credits

fips140.go

@@ -0,0 +1,17 @@
+package nebula
+
+import (
+	"crypto/fips140"
+	"fmt"
+)
+
+func fips140version() string {
+	switch {
+	case fips140.Enforced():
+		return fmt.Sprintf("only,version=%s", fips140.Version())
+	case fips140.Enabled():
+		return fmt.Sprintf("on,version=%s", fips140.Version())
+	default:
+		return "off"
+	}
+}

go.mod

@@ -1,6 +1,6 @@
 module github.com/slackhq/nebula
 
-go 1.25.0
+go 1.26
 
 require (
 	dario.cat/mergo v1.0.2

interface.go

@@ -2,7 +2,6 @@ package nebula
 
 import (
 	"context"
-	"crypto/fips140"
 	"errors"
 	"fmt"
 	"io"
@@ -234,7 +233,7 @@ func (f *Interface) activate() error {
 		"build", f.version,
 		"udpAddr", addr,
 		"boringcrypto", boringEnabled(),
-		"fips140", fips140.Enabled(),
+		"fips140", fips140version(),
 	)
 
 	if f.routines > 1 {