allow both TLS v1.2 and v1.3 in fips mode, supported starting in Go 1.24

2025-12-23 06:15:47 +00:00 · 2025-02-18 10:46:59 -08:00
parent c90637398d
commit 8cfc1c08ec
3 changed files with 13 additions and 17 deletions
--- a/test/integration/limited_ciphers_fips_test.go
+++ b/test/integration/limited_ciphers_fips_test.go
@@ -1,4 +1,4 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 //go:build fips_strict
@@ -26,7 +26,7 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) {
 		// Expected server configuration for the Supervisor's OIDC endpoints.
 		&tls.Config{
 			MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect
-			MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet
+			MaxVersion: tls.VersionTLS13,
 			CipherSuites: []uint16{
 				// Supervisor OIDC endpoints configured with EC certs use only EC ciphers.
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -35,8 +35,8 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) {
 		},
 		// Expected server configuration for the Supervisor and Concierge aggregated API endpoints.
 		&tls.Config{
-			MinVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet
-			MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet
+			MinVersion: tls.VersionTLS12, // always allow TLS 1.2 in fips mode
+			MaxVersion: tls.VersionTLS13,
 			CipherSuites: []uint16{
 				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
--- a/test/integration/ptls_fips_test.go
+++ b/test/integration/ptls_fips_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 //go:build fips_strict
@@ -77,7 +77,7 @@ func TestDefault_Parallel(t *testing.T) {
 	actual := ptls.Default(aCertPool)
 	expected := &tls.Config{
 		MinVersion:   tls.VersionTLS12,
-		MaxVersion:   tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
+		MaxVersion:   tls.VersionTLS13,
 		CipherSuites: expectedFIPSCipherSuites,
 		NextProtos:   []string{"h2", "http/1.1"},
 		RootCAs:      aCertPool,
@@ -94,7 +94,7 @@ func TestDefaultLDAP_Parallel(t *testing.T) {
 	actual := ptls.DefaultLDAP(aCertPool)
 	expected := &tls.Config{
 		MinVersion:   tls.VersionTLS12,
-		MaxVersion:   tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
+		MaxVersion:   tls.VersionTLS13,
 		CipherSuites: expectedFIPSCipherSuites,
 		NextProtos:   []string{"h2", "http/1.1"},
 		RootCAs:      aCertPool,
@@ -110,10 +110,8 @@ func TestSecure_Parallel(t *testing.T) {

 	actual := ptls.Secure(aCertPool)
 	expected := &tls.Config{
-		// goboring does not currently support TLS 1.3, so where we would normally require it by making it the
-		// min version for the secure profile, we cannot do that in FIPS mode
-		MinVersion:   tls.VersionTLS12,
-		MaxVersion:   tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
+		MinVersion:   tls.VersionTLS12, // allow TLS 1.2 in FIPS mode
+		MaxVersion:   tls.VersionTLS13,
 		CipherSuites: expectedFIPSCipherSuites,
 		NextProtos:   []string{"h2", "http/1.1"},
 		RootCAs:      aCertPool,
@@ -135,10 +133,8 @@ func TestSecureServing_Parallel(t *testing.T) {

 	require.Equal(t, options.SecureServingOptionsWithLoopback{
 		SecureServingOptions: &options.SecureServingOptions{
-			CipherSuites: expectedFIPSCipherSuiteNames,
-			// goboring does not currently support TLS 1.3, so where we would normally require it by making it the
-			// min version for secure serving for aggregated API servers, we cannot do that in FIPS mode
-			MinTLSVersion: "VersionTLS12",
+			CipherSuites:  expectedFIPSCipherSuiteNames,
+			MinTLSVersion: "VersionTLS12", // allow TLS 1.2 in FIPS mode
 		},
 	}, *opts)
 }