fips: update boringssl to use the main branch#39017
Merged
Merged
Conversation
Change-Id: I23c1fcf05b4713d848a2f46852525d6c2506986a Signed-off-by: Kuat Yessenov <kuat@google.com>
repokitteh-read-only
Bot
added
the
deps
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
Change-Id: I72a46e76eeeb95e462bb2527a4884b561517d272 Signed-off-by: Kuat Yessenov <kuat@google.com>
Change-Id: I0ef615ee86685217ba0966770057d4f18b09e43b
Change-Id: Id69f5cd24aeeea311b994ab7e1b85c6f3cd0cbc2 Signed-off-by: Kuat Yessenov <kuat@google.com>
Change-Id: I6853441787bf21c14d3d0f3c02314d7305baef6c Signed-off-by: Kuat Yessenov <kuat@google.com>
Change-Id: I15a20717ba17484fbdbc75b958bcf2a2ade83e97
Change-Id: Ibd75b040b3ec9d076fe9814bc9ccd8a2c4783460 Signed-off-by: Kuat Yessenov <kuat@google.com>
kyessenov
changed the title
Change-Id: If3452c8febf4c42f78d4b1f87b45eea14729ba68 Signed-off-by: Kuat Yessenov <kuat@google.com>
Change-Id: I0ea5d21fe52ac96377a7fa769c968075338f2d01 Signed-off-by: Kuat Yessenov <kuat@google.com>
repokitteh-read-only
Bot
removed
the
deps
This was referenced Apr 10, 2025
phlax
pushed a commit
to yanavlasov/envoy
that referenced
this pull request
Dec 9, 2025
Change-Id: I23c1fcf05b4713d848a2f46852525d6c2506986a Commit Message: Update the BoringSSL FIPS build to use the same commit as a regular non-FIPS build (9/13/2024) per the revised FedRAMP policy. Additional Description: BoringSSL considers the main branch to be the "update stream" in the policy. The new recommendation is to use the latest stable versions of the compilers, so we also bump Clang version to be the same as the regular build (from 14 to 18). Please note that this change **does not** include setting the compliance policy, as that would be a breaking change. Risk Level: low (as we match the thoroughly tested non-FIPS build) Testing: regression tests passed Issue: envoyproxy#38353 Docs Changes: none Release Notes: yes (it is quite plausible a default might have changed in the crypto settings due to the large version bump from 2022 to 2024, so this is a notable change). --------- Signed-off-by: Kuat Yessenov <kuat@google.com>
phlax
pushed a commit
to yanavlasov/envoy
that referenced
this pull request
Dec 9, 2025
Change-Id: I23c1fcf05b4713d848a2f46852525d6c2506986a Commit Message: Update the BoringSSL FIPS build to use the same commit as a regular non-FIPS build (9/13/2024) per the revised FedRAMP policy. Additional Description: BoringSSL considers the main branch to be the "update stream" in the policy. The new recommendation is to use the latest stable versions of the compilers, so we also bump Clang version to be the same as the regular build (from 14 to 18). Please note that this change **does not** include setting the compliance policy, as that would be a breaking change. Risk Level: low (as we match the thoroughly tested non-FIPS build) Testing: regression tests passed Issue: envoyproxy#38353 Docs Changes: none Release Notes: yes (it is quite plausible a default might have changed in the crypto settings due to the large version bump from 2022 to 2024, so this is a notable change). --------- Signed-off-by: Kuat Yessenov <kuat@google.com> Signed-off-by: Ryan Northey <ryan@synca.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change-Id: I23c1fcf05b4713d848a2f46852525d6c2506986a
Commit Message: Update the BoringSSL FIPS build to use the same commit as a regular non-FIPS build (9/13/2024) per the revised FedRAMP policy.
Additional Description: BoringSSL considers the main branch to be the "update stream" in the policy. The new recommendation is to use the latest stable versions of the compilers, so we also bump Clang version to be the same as the regular build (from 14 to 18). Please note that this change does not include setting the compliance policy, as that would be a breaking change.
Risk Level: low (as we match the thoroughly tested non-FIPS build)
Testing: regression tests passed
Issue: #38353
Docs Changes: none
Release Notes: yes (it is quite plausible a default might have changed in the crypto settings due to the large version bump from 2022 to 2024, so this is a notable change).