Class Webserver (be/src/util/webserver.h) is defined as a wrapper class for the third party web server library - Squeasel. Squeasel supports the HTTP Digest Access Authorization with MD5 hash algorithm (RFC 2069, RFC 2617). Since the MD5 algorithm is not allowed in FIPS, HTTP Digest Authentication will not work with FIPS-certified^^ crypto library. In 2015, RFC 7616 replaced RFC 2617 by adding 4 new algorithms: "SHA-256", "SHA-256-sess", "SHA-512/256" and "SHA-512/256-sess". The encoding is equivalent to "MD5" and "MD5-sess" algorithms, with MD5 hashing function replaced with SHA-256 and SHA-512/256.
In FIPS mode, it's better to support SHA-256 hash algorithm for HTTP Digest Authentication in Squeasel.
Squeasel also use SHA-1 hash algorithms for WebSocket hands off. Since SHA-1 is soon to be deprecated, we should replace SHA-1 with SHA-512. Note that WebSocket is only available when Squeasel is compiled with DUSE_WEBSOCKET, but Impala integrate Squeasel without defining USE_WEBSOCKET so WebSocket is not supported now. It's not urgent to replace SHA-1 with SHA-512.