Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow TLS 1.3 when crypto/tls/fipsonly is imported #1068

Merged
merged 4 commits into from
Oct 17, 2023
Merged

Allow TLS 1.3 when crypto/tls/fipsonly is imported #1068

merged 4 commits into from
Oct 17, 2023

Conversation

qmuntal
Copy link
Member

@qmuntal qmuntal commented Oct 16, 2023

This PR allows to use clients and server to use TLS 1.3 when crypto/tls/fipsonly is imported.

The major change is that tls.TLS_CHACHA20_POLY1305_SHA256 won't appear in the supported TLS 1.3 cipher suites, as it is not approved by FIPS 140-3.

@qmuntal qmuntal requested review from dagood and gdams October 16, 2023 12:14
dagood
dagood approved these changes Oct 16, 2023
View reviewed changes
patches/0010-allow-TLS-1.3-when-crypto-tls-fipsonly-is-imported.patch
- TLS_RSA_WITH_AES_256_GCM_SHA384:
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_AES_128_GCM_SHA256,
+ TLS_AES_256_GCM_SHA384:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seeing TLS 1.3 suites bunched up with 1.2 suites, I wonder if it would make the tests more specific to separate out when 1.2 vs. 1.3 suites are expected. However: I don't know if this would actually catch anything, and it could be a significant chunk of work that never detects any problem and simply increases conflicts vs. upstream. I think we're better off waiting for upstream to reimplement this test with 1.3 in mind.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I'll split it, this way TestBoringServerCipherSuites will also test that we are not returning TLS 1.3 ciphers in TLS 1.2 connections.

@qmuntal qmuntal merged commit 0ce9216 into microsoft/main Oct 17, 2023
19 checks passed
@qmuntal qmuntal deleted the dev/qmuntal/tls13 branch October 17, 2023 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gdams gdams gdams approved these changes

@dagood dagood dagood approved these changes

@microsoft-golang-review-bot microsoft-golang-review-bot Awaiting requested review from microsoft-golang-review-bot microsoft-golang-review-bot is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@qmuntal @dagood @gdams