remove fips_enable_tls13_max_for_default_profile build tag

internal/crypto/ptls/default_profile_max_tls_version_for_fips_13.go

@@ -1,10 +0,0 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-//go:build fips_enable_tls13_max_for_default_profile
-
-package ptls
-
-import "crypto/tls"
-
-const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13

internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go

@@ -1,10 +0,0 @@
-// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
-// SPDX-License-Identifier: Apache-2.0
-
-//go:build !fips_enable_tls13_max_for_default_profile
-
-package ptls
-
-import "crypto/tls"
-
-const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 // Starting in Go 1.24, boringcrypto supports TLS 1.3 by default, so this build tag is no longer needed

internal/crypto/ptls/profiles_fips_strict.go

@@ -60,8 +60,7 @@ func init() {
 	// this init runs before we have parsed our config to determine our log level
 	// thus we must use a log statement that will always print instead of conditionally print
 	plog.Always("this server was compiled to use boring crypto in FIPS-only mode",
-		"go version", runtime.Version(),
-		"DefaultProfileMaxTLSVersionForFIPS", tls.VersionName(DefaultProfileMaxTLSVersionForFIPS))
+		"go version", runtime.Version())
 }
 
 // Default: see comment in profiles.go.
@@ -71,7 +70,7 @@ func init() {
 func Default(rootCAs *x509.CertPool) *tls.Config {
 	config := buildTLSConfig(rootCAs, allHardcodedAllowedCipherSuites(), getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo())
 	// Note: starting in Go 1.24, boringcrypto supports TLS 1.3, so we allow it here.
-	config.MaxVersion = DefaultProfileMaxTLSVersionForFIPS
+	config.MaxVersion = tls.VersionTLS13
 	return config
 }