-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows FIPS compliant App publishes FIPS and non-FIPS ciphers during TLS handshake #1434
Comments
This doesn't repro for me. I used this program that prints out Go's TLS settings: https://gist.github.com/dagood/f5b825f8e07a564f347a43f1523e8f1c In a Windows VM, I ran it normally, and it got:
I enabled the FIPS local policy using the Windows UI and restarted the VM, then the program got:
Maybe you can try your interception approach with that test program and see if it shows different results for you? |
Thanks @dagood. Thought the policy is enabled and the service is built with goexperiment.systemcrypto tag, when it runs and I capture the traffic (filter by usingtcp.port == 443 && tls.handshake), when checking the client published ciphers I get a mix of FIPS and non-FIPS ciphers. |
Yep, I got there by searching "local security policy", but the rest of the path is the same. I am on Windows 11 rather than 10, but I wouldn't expect any difference here. A few things I'd like to confirm:
|
Thanks @dagood for the detailed reply. |
On my end, I've now reproduced the good behavior on a win10 VM:
(Even when using the policy radio box, rebooting doesn't appear to be necessary in my tests on that win10 VM. I'm not sure why I had a different experience on a win11 VM. Either way, generally docs do recommend a reboot.) |
@dagood, I've cloned, built and run the server & client on my Windows VM.
Build special settings:
Built with Microsoft go fork Note: Windows policy was enabled but used the regkey and GOFIPS to emulate enable/disable of the FIPS mode. Run two tests:
Results:
Client side:
FIPS mode disabled -
Client:
I see that when running in FIPS mode enabled no non-FIPS cipher is listed. The list of omitted ciphers in FIPS mode: I learned that my Windows VM has correct setup. The next thing I'll do is to repeat a similar test with my app and share the results. |
After analyzing the Wireshark capture of the app, the conclusion is that the Go part is publishing only FIPS ciphers as expected. The TLS client hello with a list containing a mix of FIPS and non-FOPS ciphers was recorded from the browser and a part of the client app that is written in C++, hence was not built using Microsoft Go. |
The Go app is was built with latest Microsoft Go fork release basked on Go 1.23.x. It was built with goexperiment.systemcrypto tag.
The platform is Win 10 22H2 VM.
Fips local policy, security option is enabled (System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing).
Capturing the app traffic and analyzing TLS handshake, I see that the app continues to publish send a list of FIPS and non-FIPS ciphers.
The question is why does the FIPS compliant built app keeps publishing non-FIPS ciphers in FIPS mode?
Thanks
The text was updated successfully, but these errors were encountered: