Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add FIPS (BoringCrypto) support #2108

Closed
jonacto-google opened this issue Feb 14, 2024 · 2 comments
Closed

Add FIPS (BoringCrypto) support #2108

jonacto-google opened this issue Feb 14, 2024 · 2 comments
Assignees
@hessjcg
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@jonacto-google
Copy link

Feature Description

In pursuit of FedRamp authorization, there's a customer need to ensure that all cryptographic modules in use within their GCP environment are FIPS validated. BoringCrypto is one such module that could be used by CloudSQL Auth proxy to meet this requirement.

Sample code

// sample code here

Alternatives Considered

No response

Additional Details

No response
@jonacto-google jonacto-google added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Feb 14, 2024
@enocom enocom added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. priority: p2 Moderately-important priority. Fix may not be included in next release. and removed priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Feb 14, 2024
@enocom
Copy link
Member

enocom commented Feb 14, 2024

Thanks for the request.

I think this is as simple as running the following command for all our existing architecture / OS combinations:

# CGO might be required
CGO_ENABLED=1 GOEXPERIMENT=boringcrypt go build

And as of golang/go#64717, Go supports TLS 1.3 with boringcrypto.

Since Go makes no statements about FIPS compliance AFAIK, I think we can't either. However, we can certainly publish binaries built against boringcrypto. We'll need some time to validate these builds but can probably do that within the next few releases.

@enocom enocom assigned hessjcg and unassigned enocom May 1, 2024
@enocom
Copy link
Member

enocom commented May 16, 2024

We're going to hold off on this since boringcrypto doesn't currently support TLS 1.3.

@enocom enocom closed this as completed May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hessjcg hessjcg

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@enocom @hessjcg @jonacto-google