-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS mode to enforce boringssl compliance policies #49081
Comments
forgive my ignorance - if we disable TLS1.3, what versions are we going to support ? Just 1.2 ? Or does FIPS require even more ancient versions ? AFAIK 1.3 is the latest version and I don't remember a 1.4. |
TLS1.2 has no planned obsolescence. We can re-enable TLS1.3 once it has a FIPS mode. |
I think we could leverage |
Correction: we can't. It doesn't have the max TLS version. |
@howardjohn I think this also impacts ambient code - but I'm not familiar with TLS modules used there. |
Background: envoyproxy/envoy#31746, golang/go#65321
FIPS cryptographic module used by Istio requires disabling TLSv1.3 for compliance. Future releases of the module will expose an API to enforce configuration compliance, which is needed in addition to using the signed module builds.
In practical terms, Istio must disable TLSv1.3 on all TLS paths in FIPS mode, which includes Envoy, Go runtime, and gRPC TLS implementations.
In addition, all Wasm modules using
grpc_service
may be impacted since they are not adhering to the compliance policies.The text was updated successfully, but these errors were encountered: