Enable FIPS 140-3 compliant crypto by default (#7590)

* Enable FIPS 140-3 compliant crypto by default

Addresses #6889

- Enable GOEXPERIMENT=systemcrypto by default in all Makefiles
- Enable GOEXPERIMENT=systemcrypto by default in all Dockerfiles
- Go 1.24+ has native FIPS 140-3 support via this setting
- Users can disable by setting GOEXPERIMENT= (empty)

Algorithms used (all FIPS approved):
- AES-256-GCM for data encryption
- AES-256-CTR for SSE-C
- HMAC-SHA256 for S3 signatures
- TLS 1.2/1.3 for transport encryption

* Fix: Remove invalid GOEXPERIMENT=systemcrypto

Go 1.24 uses GODEBUG=fips140=on at runtime, not GOEXPERIMENT at build time.

- Remove GOEXPERIMENT=systemcrypto from all Makefiles
- Remove GOEXPERIMENT=systemcrypto from all Dockerfiles

FIPS 140-3 mode can be enabled at runtime:
  GODEBUG=fips140=on ./weed server ...

* Add FIPS 140-3 support enabled by default

Addresses #6889

- FIPS 140-3 mode is ON by default in Docker containers
- Sets GODEBUG=fips140=on via entrypoint.sh
- To disable: docker run -e GODEBUG=fips140=off ...

1 files changed, 3 insertions, 0 deletions

diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build
index 2d9fe99ce..e1b3e1d7c 100644
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -23,6 +23,9 @@ RUN mkdir -p /etc/seaweedfs
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /etc/seaweedfs/filer.toml
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
 
+# FIPS 140-3 mode is ON by default (Go 1.24+)
+# To disable: docker run -e GODEBUG=fips140=off ...
+
 # Install dependencies and create non-root user
 RUN apk add --no-cache fuse su-exec && \
     addgroup -g 1000 seaweed && \