Hello golang-nuts, I haven't found a single discussion about this so out of pure curiosity i'm going to try and shoot the question.
My intent is not to start a debate on any cipher/mode/signature algs' weaknesses but merely to understand some the limitations that are enforced when using the "crypto/tls/fipsonly" package of the famous boringcrypto fork of golang. >From src/crypto/tls/boring.go <https://github.com/golang/go/blob/dev.boringcrypto.go1.12/src/crypto/tls/boring.go> : // default FIPSCipherSuites is the FIPS-allowed cipher suites, // in preference order (most preferable first). var defaultFIPSCipherSuites = []uint16{ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, } Although the boringcrypto's NIST certificate <https://csrc.nist.gov/projects/Cryptographic-Algorithm-Validation-Program/details?source=AES&number=4558> mentions a number of approved AES modes (e.g. CBC), the GCM mode seems is the only mode that will be allowed for TLS 1.2. Also on signature algorithms, this is what we find later in the same source file: // supportedSignatureAlgorithms returns the supported signature algorithms. // It knows that the FIPS-allowed ones are all at the beginning of // defaultSupportedSignatureAlgorithms. func supportedSignatureAlgorithms(version uint16) []SignatureScheme { all := defaultSupportedSignatureAlgorithms if version < VersionTLS13 { all = defaultSupportedSignatureAlgorithmsTLS12 } if !needFIPS() { return all } i := 0 for i < len(all) && all[i] != PKCS1WithSHA1 { i++ } return all[:i] } PKCS1WithSHA1 is still a perfectly valid FIPS 140-2 <https://csrc.nist.gov/CSRC/media/Publications/fips/140/2/final/documents/fips1402annexa.pdf> signature algorithm but here it is being explicitly excluded from the supported algs. Really, I understand and agree that we're much better off without CBC and SHA1, although sometimes one might not have a choice. Does anyone know the reasons behind the much stricter limitations compared to FIPS 140-2 when in fipsonly mode? Thanks !! -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
