Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feature: new TLS1.2 + FIPS CRT security policy #5375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 2, 2025
Merged

feature: new TLS1.2 + FIPS CRT security policy #5375

merged 2 commits into from
Jul 2, 2025

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Jul 1, 2025
edited by boquan-fang
Loading

Release Summary:

Add a new security policy for CRT that supports FIPS and TLS1.2

Description of changes:

CRT requested a new security policy based off of AWS-CRT-SDK-TLSv1.2-2023, that supports TLS1.2 and FIPS and does not include CBC cipher suites.

The new policy:

  1. Add the "FIPS" rule
  2. Add the "forward secrecy" rule
  3. Removes the cipher suites:
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
  4. Removes the signature schemes:
    • legacy_rsa_pkcs1_sha224
    • legacy_ecdsa_sha224
    • rsa_pkcs1_sha1
    • ecdsa_sha1
  5. Prefers EC certs over RSA certs, if multiple certs are configured
  6. Removes the named group:
    • x25519

The full diff between AWS-CRT-SDK-TLSv1.2-2023 and the new policy (AWS-CRT-SDK-TLSv1.2-2025):

diff AWS-CRT-SDK-TLSv1.2-2023 AWS-CRT-SDK-TLSv1.2-2025 

1c1
< name: AWS-CRT-SDK-TLSv1.2-2023
---
> name: AWS-CRT-SDK-TLSv1.2-2025
4,5c4,5
< - Perfect Forward Secrecy: no
< - FIPS 140-3 (2019): no
---
> - Perfect Forward Secrecy: yes
> - FIPS 140-3 (2019): yes
9d8
< - TLS_CHACHA20_POLY1305_SHA256
14,29d12
< - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
< - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
< - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
< - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
< - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
< - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
< - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
< - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
< - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
< - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
< - TLS_RSA_WITH_AES_128_GCM_SHA256
< - TLS_RSA_WITH_AES_256_GCM_SHA384
< - TLS_RSA_WITH_AES_128_CBC_SHA256
< - TLS_RSA_WITH_AES_256_CBC_SHA256
< - TLS_RSA_WITH_AES_128_CBC_SHA
< - TLS_RSA_WITH_AES_256_CBC_SHA
30a14,16
> - ecdsa_sha256
> - ecdsa_sha384
> - ecdsa_sha512
40,46d25
< - legacy_rsa_pkcs1_sha224
< - ecdsa_sha256
< - ecdsa_sha384
< - ecdsa_sha512
< - legacy_ecdsa_sha224
< - rsa_pkcs1_sha1
< - ecdsa_sha1
49d27
< - x25519

Testing:

The new security policy is described above. It also now includes the "fips" and "forward secret" policy rules, which are enforced by unit tests and s2n_init.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Jul 1, 2025
@lrstewart lrstewart marked this pull request as ready for review July 1, 2025 22:39
@lrstewart lrstewart requested review from jmayclin and boquan-fang July 1, 2025 22:39
@boquan-fang boquan-fang enabled auto-merge (squash) July 2, 2025 21:09
@boquan-fang boquan-fang merged commit e33d7ef into aws:main Jul 2, 2025
47 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jul 7, 2025
Merged
@sfod sfod mentioned this pull request Jul 8, 2025
Merged
dougch pushed a commit to dougch/s2n-tls that referenced this pull request Jul 9, 2025
@lrstewart @boquan-fang @dougch
feature: new TLS1.2 + FIPS CRT security policy (aws#5375)
31ea6f5 
Co-authored-by: Boquan Fang <[email protected]>
@sfod sfod mentioned this pull request Sep 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmayclin jmayclin jmayclin approved these changes

@boquan-fang boquan-fang boquan-fang approved these changes

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lrstewart @jmayclin @boquan-fang