mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-03 19:54:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

allow both TLS v1.2 and v1.3 in fips mode, supported starting in Go 1.24

Browse Source
This commit is contained in:
Ryan Richard
2025-02-18 10:46:59 -08:00
parent c90637398d
commit 8cfc1c08ec
3 changed files with 13 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/crypto/ptls/default_profile_max_tls_version_for_fips_default_value.go
View File

@@ -1,4 +1,4 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved. // Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build !fips_enable_tls13_max_for_default_profile //go:build !fips_enable_tls13_max_for_default_profile
@@ -7,4 +7,4 @@ package ptls
import "crypto/tls" import "crypto/tls"
const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS12 const DefaultProfileMaxTLSVersionForFIPS = tls.VersionTLS13 // Starting in Go 1.24, boringcrypto supports TLS 1.3 by default, so this build tag is no longer needed

8
test/integration/limited_ciphers_fips_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2024 the Pinniped contributors. All Rights Reserved. // Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build fips_strict //go:build fips_strict
@@ -26,7 +26,7 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) {
// Expected server configuration for the Supervisor's OIDC endpoints. // Expected server configuration for the Supervisor's OIDC endpoints.
&tls.Config{ &tls.Config{
MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect MinVersion: tls.VersionTLS12, // Supervisor OIDC always allows TLS 1.2 clients to connect
MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet MaxVersion: tls.VersionTLS13,
CipherSuites: []uint16{ CipherSuites: []uint16{
// Supervisor OIDC endpoints configured with EC certs use only EC ciphers. // Supervisor OIDC endpoints configured with EC certs use only EC ciphers.
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -35,8 +35,8 @@ func TestLimitedCiphersFIPS_Disruptive(t *testing.T) {
}, },
// Expected server configuration for the Supervisor and Concierge aggregated API endpoints. // Expected server configuration for the Supervisor and Concierge aggregated API endpoints.
&tls.Config{ &tls.Config{
MinVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet MinVersion: tls.VersionTLS12, // always allow TLS 1.2 in fips mode
MaxVersion: tls.VersionTLS12, // boringcrypto does not use TLS 1.3 yet MaxVersion: tls.VersionTLS13,
CipherSuites: []uint16{ CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

18
test/integration/ptls_fips_test.go
View File

@@ -1,4 +1,4 @@
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
//go:build fips_strict //go:build fips_strict
@@ -77,7 +77,7 @@ func TestDefault_Parallel(t *testing.T) {
actual := ptls.Default(aCertPool) actual := ptls.Default(aCertPool)
expected := &tls.Config{ expected := &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use MaxVersion: tls.VersionTLS13,
CipherSuites: expectedFIPSCipherSuites, CipherSuites: expectedFIPSCipherSuites,
NextProtos: []string{"h2", "http/1.1"}, NextProtos: []string{"h2", "http/1.1"},
RootCAs: aCertPool, RootCAs: aCertPool,
@@ -94,7 +94,7 @@ func TestDefaultLDAP_Parallel(t *testing.T) {
actual := ptls.DefaultLDAP(aCertPool) actual := ptls.DefaultLDAP(aCertPool)
expected := &tls.Config{ expected := &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use MaxVersion: tls.VersionTLS13,
CipherSuites: expectedFIPSCipherSuites, CipherSuites: expectedFIPSCipherSuites,
NextProtos: []string{"h2", "http/1.1"}, NextProtos: []string{"h2", "http/1.1"},
RootCAs: aCertPool, RootCAs: aCertPool,
@@ -110,10 +110,8 @@ func TestSecure_Parallel(t *testing.T) {
actual := ptls.Secure(aCertPool) actual := ptls.Secure(aCertPool)
expected := &tls.Config{ expected := &tls.Config{
// goboring does not currently support TLS 1.3, so where we would normally require it by making it the MinVersion: tls.VersionTLS12, // allow TLS 1.2 in FIPS mode
// min version for the secure profile, we cannot do that in FIPS mode MaxVersion: tls.VersionTLS13,
MinVersion: tls.VersionTLS12,
MaxVersion: tls.VersionTLS12, // goboring does not currently support TLS 1.3, so prevent its use
CipherSuites: expectedFIPSCipherSuites, CipherSuites: expectedFIPSCipherSuites,
NextProtos: []string{"h2", "http/1.1"}, NextProtos: []string{"h2", "http/1.1"},
RootCAs: aCertPool, RootCAs: aCertPool,
@@ -135,10 +133,8 @@ func TestSecureServing_Parallel(t *testing.T) {
require.Equal(t, options.SecureServingOptionsWithLoopback{ require.Equal(t, options.SecureServingOptionsWithLoopback{
SecureServingOptions: &options.SecureServingOptions{ SecureServingOptions: &options.SecureServingOptions{
CipherSuites: expectedFIPSCipherSuiteNames, CipherSuites: expectedFIPSCipherSuiteNames,
// goboring does not currently support TLS 1.3, so where we would normally require it by making it the MinTLSVersion: "VersionTLS12", // allow TLS 1.2 in FIPS mode
// min version for secure serving for aggregated API servers, we cannot do that in FIPS mode
MinTLSVersion: "VersionTLS12",
}, },
}, *opts) }, *opts)
} }