mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-04 12:14:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Revert support TLS 1.3 in FIPS mode because Go reverted goboring upgrade

Browse Source 
Goboring only allows TLS 1.2.

The next goboring will allow both TLS 1.2 and TLS 1.3. We got a preview
of this when the Go team upgraded goboring in Go 1.21.6, but then
downgraded it again in the next Go releases.

When the Go team eventually upgrades goboring again, then we can
revert this commit to bring back TLS 1.3 support in FIPS mode.
This commit is contained in:
Ryan Richard
2024-02-08 09:43:30 -08:00
parent e303a45dd1
commit d2794114f4
2 changed files with 21 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
internal/crypto/ptls/fips_strict.go
View File

@@ -1,8 +1,7 @@
// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// The configurations here override the usual ptls.Default and ptls.DefaultLDAP
// configs when Pinniped is built in fips-only mode.
// The configurations here override the usual configs when Pinniped is built in fips-only mode.
//go:build fips_strict
package ptls
@@ -14,16 +13,15 @@ import (
"path/filepath"
"runtime"
"k8s.io/apiserver/pkg/server/options"
// Cause fipsonly tls mode with this side effect import.
_ "go.pinniped.dev/internal/crypto/fips"
"go.pinniped.dev/internal/plog"
)
// goboring now also supports TLS 1.3 starting in Golang 1.21.6
// (see https://github.com/golang/go/issues/64717),
// so we can use TLS 1.3 as the minimum TLS version for our "secure" configuration
// profile in both FIPS and non-FIPS compiled binaries.
// Hence, we no longer redefine the Secure() function in this file.
// Until goboring supports TLS 1.3, use TLS 1.2.
const SecureTLSConfigMinTLSVersion = tls.VersionTLS12
func init() {
switch filepath.Base(os.Args[0]) {
@@ -40,9 +38,8 @@ func init() {
func Default(rootCAs *x509.CertPool) *tls.Config {
return &tls.Config{
MinVersion: tls.VersionTLS12,
// goboring now also supports TLS 1.3 (see https://github.com/golang/go/issues/64717)
// so this default configuration can allow either 1.2 or 1.3
MaxVersion: SecureTLSConfigMinTLSVersion,
// Until goboring supports TLS 1.3, make the max version 1.2.
MaxVersion: tls.VersionTLS12,
// This is all the fips-approved TLS 1.2 ciphers.
// The list is hard-coded for convenience of testing.
@@ -53,6 +50,8 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
// enable HTTP2 for go's 1.7 HTTP Server
@@ -65,6 +64,16 @@ func Default(rootCAs *x509.CertPool) *tls.Config {
}
}
// Until goboring supports TLS 1.3, make the Secure profile the same as the Default profile in FIPS mode.
func Secure(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config {
return Default(rootCAs)
}
// Until goboring supports TLS 1.3, make secureServing use the same as the defaultServing profile in FIPS mode.
func secureServing(opts *options.SecureServingOptionsWithLoopback) {
defaultServing(opts)
}

2
internal/crypto/ptls/secure.go
View File

@@ -1,6 +1,8 @@
// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
//go:build !fips_strict
package ptls
import (