Thanks, it looks like we have some work to do ! On Thursday, April 30, 2020 at 11:31:37 AM UTC-7, David Anderson wrote: > > (Disclaimer: not a FIPS compliance expert, you should hire your own > experts to get authoritative answers) > > FIPS 140-2 seems to reference FIPS 186-4 for specific algorithm choices. > FIPS 186-4 specifies that the RSA modulus shall be 1024, 2048, or 3072 > bits. So, as-written, it seems like 4096-bit RSA keys are not allowed under > FIPS 140-2, which would explain why BoringCrypto doesn't permit them. > > There seems to be a bunch of discussion in standards bodies saying that > this was a bit of a mistake in FIPS 186-4, but the great thing about > regulations is you don't fix them just by saying "oh, that's obviously > incorrect, let's just ignore it" :( > > Seems like you need to talk to Azure about FIPS 140-2 compliant access > methods, or to your own compliance staff about how you can navigate the > regulatory requirements and still connect to stuff. > > - Dave > > On Thu, Apr 30, 2020 at 11:13 AM <[email protected] <javascript:>> > wrote: > >> Summary - Trying Boring Go in FIPS mode to connect to Microsoft services >> (Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public >> key that is not allowed by Boring Go (Code here >> <https://github.com/golang/go/blob/2b0d842f4b24b3be4bcf02c7a796e3a4d3d952f6/src/crypto/tls/boring.go#L98> >> >> ), Is there any workaround without having to turn off FIPS mode ? >> >> go version go1.14b4 linux/amd64 >> >> Hi all, >> So I am working on an application that requires to be run in FIPS mode >> and has to connect to Azure services. I looked up the boring Go branch, got >> version 1.14 and started using it. >> While trying to connect to Azure services (for eg. >> graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an >> incompatible certificate usage issue. Here is the sample code I am using - >> `package main >> >> import ( >> "fmt" >> "io/ioutil" >> "net/http" >> _ "crypto/tls/fipsonly" //Code works without this but we need the >> application to run in FIPS >> ) >> func main() { >> url := "https: //microsoft.com" //Space put here because of two link >> limit >> fmt.Printf("HTML code of %s ...\n", url) >> client := &http.Client{} >> resp, err := client.Get(url) >> >> if err != nil { >> panic(err) >> } >> >> defer resp.Body.Close() >> >> html, err := ioutil.ReadAll(resp.Body) >> if err != nil { >> panic(err) >> } >> >> fmt.Printf("%s\n", html) >> }` >> >> The error I get is as follows - >> HTML code of https: //microsoft.com ... panic: Get "https: // >> microsoft.com": x509: certificate specifies an incompatible key usage >> goroutine 1 [running]: main.main() /usr/local/go/bin/test.go:15 +0x26c exit >> status 2 >> >> I checked the golang code and found that a certificate with a 4096 bit >> public key is not a valid certificate according to the IsBoringCertificate >> function The intermediate certificate in Microsoft’s Certificate Chain has >> a 4096 bit public key. >> [image: Screen Shot 2020-04-27 at 12.35.20 PM] >> <https://forum.golangbridge.org/uploads/default/original/2X/5/5ee810d6e3d7c0397d6414aed64851342df3f843.png> >> >> So, my question is as follows : >> >> 1. Is this intended behavior ? >> 2. If yes, is here any workaround via which I can keep FIPS mode on >> and connect to these services ? This workaround can be code changes or >> using different tools. However, I can’t turn off FIPS mode. >> >> Thanks for going through this ! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/golang-nuts/619f65bc-e79a-4412-8913-a03992fae04a%40googlegroups.com >> >> <https://groups.google.com/d/msgid/golang-nuts/619f65bc-e79a-4412-8913-a03992fae04a%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >
-- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/2dae311b-d20b-42c1-a270-39c8ecf15d5f%40googlegroups.com.
