-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: Permit recently FIPS-approved protocols/algorithms #62372
Comments
…-mode TLS 1.3 is permitted by NIST SP 800-52 Rev. 2 and will be required starting January 1, 2024. Ed25519 as a signature algorithm is permitted by FIPS 186-5. Fixes golang#62372.
Change https://go.dev/cl/524355 mentions this issue: |
CC @golang/security |
It sounds like this change is needed in (Edit: Whoops, off by one.) |
TLS 1.3 is permitted by NIST SP 800-52 Rev. 2 and will be required starting January 1, 2024. Updates golang#62372
As I understand Go's release policy and release cadence, then yes. I had originally included multiple changes in my PR to address the recent FIPS / NIST improvements, but I re-scoped it solely to address the TLS v1.3 support to bring it inline with what BoringSSL already supports and due to the impending deadline. I'll open up additional PRs for other things, but it's possible some of those changes might need re-certification by NIST as part of the move to FIPS 140-3. |
The latest BoringCrypto validation, both according to the docs and to a CMVP search is certificate #4407. Its security policy specifies 853ca1ea1168dff08011e5d42d94609cc0ca2e27 as the version, which is The Approved Algorithms don't list Ed25519 (which I don't think would have been possible, since this is a FIPS 140-2 certificate). The security policy mentions TLS 1.2 in various places, but not TLS 1.3. I'm afraid that we can't enable these algorithms with the current BoringCrypto module version. The Modules In Process List has a BoringCrypto FIPS 140-3 validation In Review, for what I presume might be @agl, is it ok to switch to |
TLS 1.3 is permitted by NIST SP 800-52 Rev. 2 and will be required starting January 1, 2024. Updates golang#62372
@FiloSottile To be clear, this is an overarching issue covering the fact that FIPS 140-3 and other NIST standards have changed what's permitted (including Separately, #62373 is specifically around enabling TLS 1.3 using the existing |
Discussed this offline with @agl. My understanding is that on the Go side we have three imperfect options:
We have precedent for upgrading to an In Review module, and most consumers I have heard from are comfortable with that, so I'm picking (2). I'll open freeze exception and backport issues next week. |
Appreciate you following-up on this. (2) does seem like the best of the non-great options. Just to be clear, has it been confirmed that the |
I understand that |
Did the freeze exception and backport issues get filed? |
Change https://go.dev/cl/549695 mentions this issue: |
Change https://go.dev/cl/549975 mentions this issue: |
Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates #64717 Updates #62372 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh <thanm@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Fixes #64717 Updates #62372 Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091 Reviewed-on: https://go-review.googlesource.com/c/go/+/549975 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Than McIntosh <thanm@google.com>
Change https://go.dev/cl/553856 mentions this issue: |
Change https://go.dev/cl/553855 mentions this issue: |
Change https://go.dev/cl/553875 mentions this issue: |
Change https://go.dev/cl/553876 mentions this issue: |
…s-20220613 Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates #64717 Updates #62372 Updates #64718 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:go1.20-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/553875 Auto-Submit: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
…SL policy This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Updates #64717 Updates #62372 Fixes #64718 Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091 Reviewed-on: https://go-review.googlesource.com/c/go/+/549975 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/553876 Run-TryBot: Matthew Dempsky <mdempsky@google.com> Auto-Submit: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
…s-20220613 Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates #64717 Updates #62372 Updates #64719 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:go1.21-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-on: https://go-review.googlesource.com/c/go/+/553855 Auto-Submit: Matthew Dempsky <mdempsky@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Run-TryBot: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com>
…SL policy This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Updates #64717 Updates #62372 Fixes #64719 Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091 Reviewed-on: https://go-review.googlesource.com/c/go/+/549975 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/553856 Auto-Submit: Matthew Dempsky <mdempsky@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com>
I tried pulling in this change in go 1.21.6 and it appears It looks like it was dropped intentionally from boringAllowCert. Is that expected? |
Yes, this brings us in alignment with BoringSSL which only permits P-256 and P-384 |
Thanks for the info. Unfortunately this breaks some of our existing certs in the field and will require a rotation. |
@FiloSottile sorry, could you help to elaborate on why we didn't go with the currently validated |
See #62372 (comment) and #62372 (comment). The Some auditors might accept an argument that that's ok, just like some auditors might accept In Review modules. I can't advise on what is necessary for your specific compliance goals. |
BoringSSL presumably added it for Google Cloud, https://boringssl-review.googlesource.com/c/boringssl/+/52625 The BoringCrypto fips-20210429 certificate approves P-521. SP 800-52r2 does not forbid P-521 either:
and
Presumably this was the reason to enable it before in https://go-review.googlesource.com/c/go/+/343880 Is there a compelling reason to disable support for P-521? Normally it should not be in use, but there may be edge cases where support for such client/server certificates is still needed in TLS. |
Change https://go.dev/cl/558796 mentions this issue: |
This reverts commit 7383b2a ("crypto/internal/boring: upgrade module to fips-20220613") and commit 4106de9 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Change https://go.dev/cl/558797 mentions this issue: |
…e to fips-20220613" +1 This reverts commit 7383b2a ("crypto/internal/boring: upgrade module to fips-20220613") and commit 4106de9 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65324 Updates #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 09b5de4) Reviewed-on: https://go-review.googlesource.com/c/go/+/558797 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Change https://go.dev/cl/560275 mentions this issue: |
Change https://go.dev/cl/560276 mentions this issue: |
…e to fips-20220613" +1 This reverts CL 553855 ("crypto/internal/boring: upgrade module to fips-20220613") and CL 553856 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65323 Updates #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 09b5de4) Reviewed-on: https://go-review.googlesource.com/c/go/+/560275
…e to fips-20220613" +1 This reverts CL 553875 ("crypto/internal/boring: upgrade module to fips-20220613") and CL 553876 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes #65322 Updates #65321 Updates #64717 Updates #62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> (cherry picked from commit 09b5de4) Reviewed-on: https://go-review.googlesource.com/c/go/+/560276
@FiloSottile, Can you please help us understand in which release the fips-20220613 be available? Is this version under review for FIPS 140-3 certification? Thanks! |
@sAnjAy060897 see #65321 linked above. |
Also, add EVP_aead_aes_*_gcm_tls13 to the build, which we will need in a following CL, to avoid rebuilding the syso twice. Updates golang#64717 Updates golang#62372 Change-Id: Ie4d853ad9b914c1095cad60694a1ae6f77dc22ce Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-boringcrypto Reviewed-on: https://go-review.googlesource.com/c/go/+/549695 Reviewed-by: Than McIntosh <thanm@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>
This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Fixes golang#64717 Updates golang#62372 Change-Id: I3a65b239ef0198bbdbe5e55e0810e7128f90a091 Reviewed-on: https://go-review.googlesource.com/c/go/+/549975 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Than McIntosh <thanm@google.com>
This reverts commit 7383b2a ("crypto/internal/boring: upgrade module to fips-20220613") and commit 4106de9 ("crypto/tls: align FIPS-only mode with BoringSSL policy"). Fixes golang#65321 Updates golang#64717 Updates golang#62372 Change-Id: I0938b97e5b4904e6532448b8ae76e920d03d0508 Reviewed-on: https://go-review.googlesource.com/c/go/+/558796 Reviewed-by: Michael Knyszek <mknyszek@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Change https://go.dev/cl/603375 mentions this issue: |
Change https://go.dev/cl/603376 mentions this issue: |
… 4735 Reapplies CL 549695 now that the certificate was issued. Updates #64717 Updates #62372 Change-Id: Ie37abed5c5aceac435d92397ed626dfeefabe5ab Reviewed-on: https://go-review.googlesource.com/c/go/+/603375 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: David Chase <drchase@google.com>
This enables TLS 1.3, disables P-521, and disables non-ECDHE suites. Reapplies CL 549975. Updates #64717 Updates #62372 Change-Id: I6c608704638d59a063a657fbd4eb1126027112dd Reviewed-on: https://go-review.googlesource.com/c/go/+/603376 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com>
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What did you do?
When in FIPS-mode, BoringCrypto does not support recently permitted protocols/algorithms.
What did you expect to see?
Support for TLS v1.3 (permitted by NIST SP 800-52 Rev. 2), including cipher suites
TLS_AES_128_GCM_SHA256
andTLS_AES_256_GCM_SHA384
. See also GSA IT Security Procedural Guide: SSL/TLS Implementation CIO-IT Security-14-69. Note that TLS 1.3 support is required starting January 1, 2024.Support for Ed25519 signature algorithm (permitted by FIPS 186-5).
FIPS 140-3 made some changes that permitted these new protocols/algorithms.
Note that BoringSSL
fips-20220613
branch already supports TLS 1.3 and some other improvements by way of SSL_CTX_set_compliance_policy(ssl_compliance_policy_fips_202205). This helps bring BoringCrypto into alignment from the TLS perspective.What did you see instead?
Only TLS v1.2 supported. No support for TLS v1.3.
No support for Ed25519 as a signature algorithm.
The text was updated successfully, but these errors were encountered: