djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change order of hardcoded cipher list for fips

Browse Source 
Signed-off-by: Margo Crawford <margaretc@vmware.com>
This commit is contained in:
Margo Crawford 2022-03-23 08:18:06 -07:00 committed by Monis Khan
parent 420f855287
commit 0de7bc03aa
No known key found for this signature in database
GPG Key ID: 52C90ADA01B269B8
1 changed files with 2 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
test/integration/securetls_fips_test.go
View File

@ -17,7 +17,6 @@ import (
"net/http" "net/http"
"os/exec" "os/exec"
"regexp" "regexp"
"sort"
"strconv" "strconv"
"strings" "strings"
"testing" "testing"
@ -36,10 +35,10 @@ import (
// hard-coded list, copied from here: // hard-coded list, copied from here:
// https://github.com/golang/go/blob/dev.boringcrypto/src/crypto/tls/boring.go. // https://github.com/golang/go/blob/dev.boringcrypto/src/crypto/tls/boring.go.
var defaultCipherSuitesFIPS []uint16 = []uint16{ var defaultCipherSuitesFIPS []uint16 = []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
} }
@ -217,21 +216,6 @@ func getExpectedCiphers(configFunc ptls.ConfigFunc) string {
var tls12Bit, tls13Bit string var tls12Bit, tls13Bit string
// sort the TLS 1.2 ciphers.
sort.SliceStable(cipherSuites, func(i, j int) bool {
a := tls.CipherSuiteName(config.CipherSuites[i])
b := tls.CipherSuiteName(config.CipherSuites[j])
ok1 := strings.Contains(a, "_ECDSA_")
ok2 := strings.Contains(b, "_ECDSA_")
if ok1 && ok2 {
return false
}
return ok1
})
// use the TLS 1.2 ciphers to create the output in nmap's format. // use the TLS 1.2 ciphers to create the output in nmap's format.
var s strings.Builder var s strings.Builder
for i, id := range cipherSuites { for i, id := range cipherSuites {