DGS-22768 Update FIPS documentation for 140-3 compliance

[Kipp Corman (kcorman0)]

What

FIPS 140-3 (newest) requires a newer openssl version, updating documentation around this. Also went through SR dependencies and believe they're still compliant.

Probably need a +1 from clients team for non-SR aspect of this client as the change implies entire client is 140-3 compliant.

Checklist

• [N] Contains customer facing changes? Including API/behavior changes
• [Y] Did you add sufficient unit test and/or integration test coverage for this PR?
  • If not, please explain why it is not required

References

JIRA:

Test & Review

Open questions / Follow-ups

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull Request Overview

This PR updates FIPS documentation to support FIPS 140-3 compliance by clarifying the differences between FIPS 140-2 and FIPS 140-3, updating OpenSSL version requirements, and providing clearer guidance for new deployments.

• Updated OpenSSL version requirements to support both FIPS 140-2 (OpenSSL 3.0.x) and FIPS 140-3 (OpenSSL 3.1.2+)
• Added recommendation for FIPS 140-3 for new deployments due to upcoming federal procurement requirements
• Updated configuration examples and links to point to the newer OpenSSL version

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqube-confluent]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[Kaushik Raina (k-raina)]

Thanks Kipp Corman (@kcorman0) for PR!
May i know how did you test this PR with openssl 3.1.2 recommended?

[Matthew Seal (MSeal)]

You may need to do the same changes in the librdkafka repo for the non-SR compliance perspective since that repo pulls in the openssl dependency for these. I checked and it's currently using version 3.3.2 for pre-built binaries that we provide which is compatible but the readmes all have the 3.0 references instead of the 3.x. Otherwise approved for this repo

[Ojasva Jain (ojasvajain)]

Kipp Corman (@kcorman0) We are currently in process of validating librdkafka for FIPS 140-3 compliance. The process is expected to complete by end of this month. Let's merge this PR then.

[Kipp Corman (kcorman0)]

Ojasva Jain (@ojasvajain) is this complete?

[Pranav Rathi (pranavrth)]

We need to update the same in https://github.com/confluentinc/docs-clients-confluent-kafka-python/blob/master/overview.rst#fips-compliance docs as well. This is external facing documentation for the same.

[Ojasva Jain (ojasvajain)]

Let's pick this up once this PR is merged.

[Pranav Rathi (pranavrth)]

Few minor changes.

[sonarqube-confluent]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[Pranav Rathi (pranavrth)]

LGTM!. Rebase the branch.