FIPS mode to enforce boringssl compliance policies

[kyessenov]

Background: envoyproxy/envoy#31746, golang/go#65321

FIPS cryptographic module used by Istio requires disabling TLSv1.3 for compliance. Future releases of the module will expose an API to enforce configuration compliance, which is needed in addition to using the signed module builds.

In practical terms, Istio must disable TLSv1.3 on all TLS paths in FIPS mode, which includes Envoy, Go runtime, and gRPC TLS implementations.

In addition, all Wasm modules using grpc_service may be impacted since they are not adhering to the compliance policies.

[costinm]

forgive my ignorance - if we disable TLS1.3, what versions are we going to support ? Just 1.2 ? Or does FIPS require even more ancient versions ? AFAIK 1.3 is the latest version and I don't remember a 1.4.

[kyessenov]

TLS1.2 has no planned obsolescence. We can re-enable TLS1.3 once it has a FIPS mode.

[kyessenov]

CC @ramaraochavali @kfaseela.

I think we could leverage mesh_mTLS and tls_defaults flags. The gap is propagating those controls to Envoy and agent, not just istiod process.

[kyessenov]

Correction: we can't. It doesn't have the max TLS version.

[kyessenov]

@howardjohn I think this also impacts ambient code - but I'm not familiar with TLS modules used there.