Story

Author here. This came out of debugging a real Rails app running in a FIPS enabled container.

Everything looked correct. OpenSSL 3 with the FIPS provider enabled. Ruby built against it. A simple pg connection worked.

The app failed once ActiveRecord was involved. The error came from libpq. It turned out the pg gem had pulled in a prebuilt native dependency that was linked against different crypto. That path was always there. It just was not exercised until ActiveRecord hit it.

Forcing a source build fixed the issue because the extension then linked against the OpenSSL in the image.

The takeaway is that a FIPS base image does not mean your dependency graph respects the same boundary once native code is involved.

Curious how others have seen this play out in Ruby, Python wheels, Go with CGO, or Node native addons.