Skip to content

proposal: crypto/tls: relax FIPS restrictions when the fips140=on GODEBUG is set #74664

@qmuntal

Description

@qmuntal

Proposal Details

Currently, the Go cryptography modules do not enforce strict FIPS 140 compliance when FIPS mode is enabled. This is generally beneficial, as strict enforcement can lead to application incompatibility. For users who require strict compliance, the fips140=only GODEBUG setting is available. Additionally, issue #74630 suggests that more granular control may be supported in the future.

However, this flexible approach is not consistently applied across the standard library. Specifically, the crypto/tls package enforces strict FIPS 140 compliance when the fips140=on GODEBUG is set, limiting TLS versions, cipher suites, curves, and signature algorithms to only those that are FIPS-approved.

I have received feedback from users expressing concerns about this strict behavior. The current all-or-nothing enforcement model negatively impacts interoperability in certain environments.

I suggest updating crypto/tls to follow the same approach as other cryptographic packages: allow all algorithms and configurations by default, even when GODEBUG=fips140=on is set. This proposal pertains only to the blocking of algorithms and configurations—not their prioritization. It may still be appropriate to prefer FIPS-compliant options when FIPS mode is enabled.

I'm unsure whether this change would be considered a breaking change under the Go compatibility policy. If so, an alternative could be to introduce a new GODEBUG setting to preserve the current behavior for users who depend on it.

@golang/security

Metadata

Metadata

Assignees

No one assigned

    Labels

    LibraryProposalIssues describing a requested change to the Go standard library or x/ libraries, but not to a toolProposalProposal-CryptoProposal related to crypto packages or other security issues

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions