For Service Mesh 2.5, we will have to update our base images to UBI9, based on RHEL9. As OpenShift Service Mesh uses OpenSSL from the base image for all encryption. As RHEL9's OpenSSL (3.0.1+) will likely still be in the process of being certified by NIST, we will likely not be able to claim FIPS compliance at the time of Service Mesh 2.5's release. This is something that should be noted in our release notes for 2.5 - with an assumed release date of late Q3 / early Q4 2023.

This is the case for OCP 4.13, which is based on RHEL9, thus we can use their messaging around FIPS as a guideline. For example: "<component/operator name> is FIPS ready. However, OpenShift Container Platform 4.13 is based on Red Hat Enterprise Linux (RHEL) 9.2. RHEL 9.2 has not yet been submitted for FIPS validation. Red Hat expects, though cannot commit to a specific timeframe, to obtain FIPS validation for RHEL 9.0 and RHEL 9.2 modules, and later even minor releases of RHEL 9.x. Updates will be available in Compliance Activities and Government Standards."

Note: The state of OpenSSL 3.0.1... should be validated before publishing the 2.5 release notes.