You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Expected behavior:
Seeing as crypto/tls doesn't allow any configuration of the TLS 1.3 cipher suites, which include TLS_ECDHE_{RSA,ECDSA}_WITH_CHACHA20_POLY1305_SHA256, and that ChaCha20-Poly1305 is not a FIPS compliant cipher, go with boringcrypto disables support for TLS 1.3. Since the --fips option on a non-FIPS build of teleport is supposed to be FedRAMP/FIPS compliant, it should also arrange things so that TLS 1.3 is not used.
Current behavior:
Non-FIPS builds of Teleport use TLS 1.3.
Bug details:
Teleport version: since the introduction of FIPS mode or the support of TLS 1.3 in go
Expected behavior:
Seeing as
crypto/tls
doesn't allow any configuration of the TLS 1.3 cipher suites, which includeTLS_ECDHE_{RSA,ECDSA}_WITH_CHACHA20_POLY1305_SHA256
, and that ChaCha20-Poly1305 is not a FIPS compliant cipher, go with boringcrypto disables support for TLS 1.3. Since the--fips
option on a non-FIPS build ofteleport
is supposed to be FedRAMP/FIPS compliant, it should also arrange things so that TLS 1.3 is not used.Current behavior:
Non-FIPS builds of Teleport use TLS 1.3.
Bug details:
Related issue: #2449
Should we just do what
tbot
does (#23563) and maketeleport
exit with an error if--fips
is passed to a non-FIPS build?The text was updated successfully, but these errors were encountered: