fix: allow sha-1 for ws handshake

Author: cardoso

ee/apps/ddp-streamer/Dockerfile

@@ -123,8 +123,13 @@ FROM rocketchatfips140/dhi-node:22-alpine3.23 AS release-fips
 ARG SERVICE
 ENV NODE_ENV=production \
     PORT=3000
+
+# Keep provider behavior explicit for auditing: enable FIPS provider while allowing
+# fallback to default provider for legacy algorithms required by dependencies.
+COPY ./ee/apps/ddp-streamer/openssl-ddp-streamer-fips.cnf /etc/ssl/openssl-ddp-streamer-fips.cnf
+
 COPY --chown=node:node --from=builder /app /app
 WORKDIR /app/ee/apps/${SERVICE}
 USER node
 EXPOSE 3000 9458
-CMD ["node", "--require", "./src/fips.js", "src/service.js"]
+CMD ["node", "--openssl-config=/etc/ssl/openssl-ddp-streamer-fips.cnf", "--openssl-shared-config", "--require", "./src/fips.js", "src/service.js"]

ee/apps/ddp-streamer/openssl-ddp-streamer-fips.cnf

@@ -0,0 +1,14 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+fips = fips_sect
+default = default_sect
+
+[fips_sect]
+activate = 1
+
+[default_sect]
+activate = 1

ee/apps/ddp-streamer/src/fips.ts

@@ -1,7 +1,13 @@
 import crypto from 'crypto';
 
-crypto.setFips(true);
+const OPENSSL_CONFIG_PATH = '/etc/ssl/openssl-ddp-streamer-fips.cnf';
+const hasOpenSSLConfigFlag = process.execArgv.some((arg) => arg.startsWith('--openssl-config='));
+const hasOpenSSLSharedConfigFlag = process.execArgv.includes('--openssl-shared-config');
 
 console.log('=========================================');
-console.log('FIPS COMPLIANCE CHECK: YES');
+console.log(`Node FIPS Mode Flag: ${crypto.getFips() === 1 ? 'ENABLED' : 'DISABLED'}`);
+console.log(`OpenSSL Config Path: ${OPENSSL_CONFIG_PATH}`);
+console.log(`OpenSSL Config Flag Present: ${hasOpenSSLConfigFlag ? 'YES' : 'NO'}`);
+console.log(`OpenSSL Shared Config Flag Present: ${hasOpenSSLSharedConfigFlag ? 'YES' : 'NO'}`);
+console.log('OpenSSL provider policy expected: fips + default fallback.');
 console.log('=========================================');