1

I have the below code.

    certificate, err := tls.LoadX509KeyPair(certFile, keyFile)
    if err != nil {
        // handle err
    }

    tlsConfig := &tls.Config{
        Certificates: []tls.Certificate{certificate},
        MinVersion:   tls.VersionTLS12,
        CipherSuites: GetCiphers(),
    }
    creds := credentials.NewTLS(tlsConfig)
    server := grpc.NewServer(grpc.Creds(creds))
    // register and start the server
}

func GetCiphers() []uint16 {
    return []uint16{
      // list of ciphers - tls 1.2 / 1.3 + CBC ciphers
        tls.TLS_CHACHA20_POLY1305_SHA256,
        tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     }
}

The server starts successfully but only GCM cipher is accepted, rest all are not accepted even they are explicitly specified in the list. This is happening only on FIPS. Any idea? I have built the binary as FIPS compliant using go-toolset package.

Thanks

Gary
  • 31
  • 4
  • gRPC-Go implementation of TLS credentials uses the standard library packages. See: https://github.com/grpc/grpc-go/blob/master/credentials/tls.go. It does not impose any additional restrictions on the set of supported ciphers. If you are certain that this is an issue caused by gRPC-Go's implementation of TLS credentials, please file an issue at https://github.com/grpc/grpc-go/issues/new/choose. Thanks. – Easwar Swaminathan Mar 17 '23 at 16:31

0 Answers0