Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-FIPS builds of teleport in FIPS mode will use TLS 1.3 #24878

Open
espadolini opened this issue Apr 20, 2023 · 0 comments
Open

Non-FIPS builds of teleport in FIPS mode will use TLS 1.3 #24878

espadolini opened this issue Apr 20, 2023 · 0 comments
Labels
bug fedramp

Comments

@espadolini
Copy link
Contributor

Expected behavior:
Seeing as crypto/tls doesn't allow any configuration of the TLS 1.3 cipher suites, which include TLS_ECDHE_{RSA,ECDSA}_WITH_CHACHA20_POLY1305_SHA256, and that ChaCha20-Poly1305 is not a FIPS compliant cipher, go with boringcrypto disables support for TLS 1.3. Since the --fips option on a non-FIPS build of teleport is supposed to be FedRAMP/FIPS compliant, it should also arrange things so that TLS 1.3 is not used.

Current behavior:
Non-FIPS builds of Teleport use TLS 1.3.

Bug details:

  • Teleport version: since the introduction of FIPS mode or the support of TLS 1.3 in go

Related issue: #2449

Should we just do what tbot does (#23563) and make teleport exit with an error if --fips is passed to a non-FIPS build?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug fedramp
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@espadolini