From 8cfc1c08ec9bf9e01308345ebecb8090a451786c Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Tue, 18 Feb 2025 10:46:59 -0800 Subject: [PATCH] allow both TLS v1.2 and v1.3 in fips mode, supported starting in Go 1.24 --- ...e_max_tls_version_for_fips_default_value.go | 4 ++-- test/integration/limited_ciphers_fips_test.go | 8 ++++---- test/integration/ptls_fips_test.go | 18 +++++++----------- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go index 0490ffa5a..8d721300a 100644 --- a/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go +++ b/internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go @@ -1,4 +1,4 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build !fips_enable_tls13_max_for_default_profile @@ -7,4 +7,4 @@ package ptls import "crypto/tls" -const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS12 +const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 // Starting in Go 1.24, boringcrypto supports TLS 1.3 by default, so this build tag is no longer needed diff --git a/test/integration/limited_ciphers_fips_test.go b/test/integration/limited_ciphers_fips_test.go index 7eeb6993b..b25a67438 100644 --- a/test/integration/limited_ciphers_fips_test.go +++ b/test/integration/limited_ciphers_fips_test.go @@ -1,4 +1,4 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build fips_strict @@ -26,7 +26,7 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { // Expected server configuration for the Supervisor's OIDC endpoints. &tls.Config{ MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect - MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet + MaxVersion: tls.VersionTLS13, CipherSuites: []uint16{ // Supervisor OIDC endpoints configured with EC certs use only EC ciphers. tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, @@ -35,8 +35,8 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) { }, // Expected server configuration for the Supervisor and Concierge aggregated API endpoints. &tls.Config{ - MinVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet - MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet + MinVersion: tls.VersionTLS12, // always allow TLS 1.2 in fips mode + MaxVersion: tls.VersionTLS13, CipherSuites: []uint16{ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, diff --git a/test/integration/ptls_fips_test.go b/test/integration/ptls_fips_test.go index fcea5fb6c..ae57c991b 100644 --- a/test/integration/ptls_fips_test.go +++ b/test/integration/ptls_fips_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 //go:build fips_strict @@ -77,7 +77,7 @@ func TestDefault_Parallel(t *testing.T) { actual := ptls.Default(aCertPool) expected := &tls.Config{ MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -94,7 +94,7 @@ func TestDefaultLDAP_Parallel(t *testing.T) { actual := ptls.DefaultLDAP(aCertPool) expected := &tls.Config{ MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -110,10 +110,8 @@ func TestSecure_Parallel(t *testing.T) { actual := ptls.Secure(aCertPool) expected := &tls.Config{ - // goboring does not currently support TLS 1.3, so where we would normally require it by making it the - // min version for the secure profile, we cannot do that in FIPS mode - MinVersion: tls.VersionTLS12, - MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use + MinVersion: tls.VersionTLS12, // allow TLS 1.2 in FIPS mode + MaxVersion: tls.VersionTLS13, CipherSuites: expectedFIPSCipherSuites, NextProtos: []string{"h2", "http/1.1"}, RootCAs: aCertPool, @@ -135,10 +133,8 @@ func TestSecureServing_Parallel(t *testing.T) { require.Equal(t, options.SecureServingOptionsWithLoopback{ SecureServingOptions: &options.SecureServingOptions{ - CipherSuites: expectedFIPSCipherSuiteNames, - // goboring does not currently support TLS 1.3, so where we would normally require it by making it the - // min version for secure serving for aggregated API servers, we cannot do that in FIPS mode - MinTLSVersion: "VersionTLS12", + CipherSuites: expectedFIPSCipherSuiteNames, + MinTLSVersion: "VersionTLS12", // allow TLS 1.2 in FIPS mode }, }, *opts) }