From 9e98f93193f220433eed5567b52089757c123060 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Tue, 22 Apr 2025 21:22:34 +0000 Subject: [PATCH 01/32] added new security policy w/ new cipher_suites --- tls/s2n_cipher_preferences.c | 25 +++++++++++++++++++++++++ tls/s2n_security_policies.c | 16 +++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c index 43ee1dfe695..772843ab70c 100644 --- a/tls/s2n_cipher_preferences.c +++ b/tls/s2n_cipher_preferences.c @@ -327,6 +327,31 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = { .allow_chacha20_boosting = false, }; +/* + * TLS1.3 support. + * FIPS compliant. + * No DHE (would require extra setup with s2n_config_add_dhparams) + */ +struct s2n_cipher_suite *cipher_suites_20250422[] = { + /* TLS1.2 with ECDSA */ + &s2n_ecdhe_ecdsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_ecdsa_with_aes_256_gcm_sha384, + + /* TLS1.2 with RSA */ + &s2n_ecdhe_rsa_with_aes_128_gcm_sha256, + &s2n_ecdhe_rsa_with_aes_256_gcm_sha384, + + /* TLS1.3 */ + &s2n_tls13_aes_128_gcm_sha256, + &s2n_tls13_aes_256_gcm_sha384, +}; + +const struct s2n_cipher_preferences cipher_preferences_20250422 = { + .count = s2n_array_len(cipher_suites_20250422), + .suites = cipher_suites_20250422, + .allow_chacha20_boosting = false, +}; + /* Same as 20160411, but with ChaCha20 added as 1st in Preference List */ struct s2n_cipher_suite *cipher_suites_20190122[] = { &s2n_ecdhe_rsa_with_chacha20_poly1305_sha256, diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 94ba8ee1709..179a3f29088 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -46,6 +46,20 @@ const struct s2n_security_policy security_policy_20240502 = { }, }; +const struct s2n_security_policy security_policy_20250416 = { + .minimum_protocol_version = S2N_TLS12, + .cipher_preferences = &cipher_preferences_20250422, + .kem_preferences = &kem_preferences_null, + .signature_preferences = &s2n_signature_preferences_20240501, + .certificate_signature_preferences = &s2n_certificate_signature_preferences_20201110, + .ecc_preferences = &s2n_ecc_preferences_20201021, + .rules = { + [S2N_PERFECT_FORWARD_SECRECY] = true, + [S2N_FIPS_140_3] = true, + }, +}; + + /* TLS1.3 default as of 05/24 */ const struct s2n_security_policy security_policy_20240503 = { .minimum_protocol_version = S2N_TLS12, @@ -1226,7 +1240,7 @@ const struct s2n_security_policy security_policy_null = { struct s2n_security_policy_selection security_policy_selection[] = { { .version = "default", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, - { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "default_fips", .security_policy = &security_policy_20250416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_pq", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, From 3bcb8edf7818ad181d2560abe5f5d62b9c31a85e Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 23 Apr 2025 00:12:20 +0000 Subject: [PATCH 02/32] send cipher --- tls/s2n_cipher_preferences.h | 1 + 1 file changed, 1 insertion(+) diff --git a/tls/s2n_cipher_preferences.h b/tls/s2n_cipher_preferences.h index c8b75f03abe..08f80e333b9 100644 --- a/tls/s2n_cipher_preferences.h +++ b/tls/s2n_cipher_preferences.h @@ -29,6 +29,7 @@ struct s2n_cipher_preferences { extern const struct s2n_cipher_preferences cipher_preferences_20230317; extern const struct s2n_cipher_preferences cipher_preferences_20240331; +extern const struct s2n_cipher_preferences cipher_preferences_20250422; extern const struct s2n_cipher_preferences cipher_preferences_20140601; extern const struct s2n_cipher_preferences cipher_preferences_20141001; extern const struct s2n_cipher_preferences cipher_preferences_20150202; From 1cc0d7735155d84ef6f96f318062b1d3e04192bc Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 18:56:34 +0000 Subject: [PATCH 03/32] added new default fibs to header file --- tls/s2n_security_policies.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tls/s2n_security_policies.h b/tls/s2n_security_policies.h index b837e95ac5a..4bbce40e757 100644 --- a/tls/s2n_security_policies.h +++ b/tls/s2n_security_policies.h @@ -96,7 +96,8 @@ extern struct s2n_security_policy_selection security_policy_selection[]; extern const char *deprecated_security_policies[]; extern const size_t deprecated_security_policies_len; -/* Defaults as of 05/24 */ +/* Defaults as of 05/25 */ +extern const struct s2n_security_policy security_policy_20250416; extern const struct s2n_security_policy security_policy_20240501; extern const struct s2n_security_policy security_policy_20240502; extern const struct s2n_security_policy security_policy_20240503; From e8b745daf6a2912a0936e5fe1fd9ed17b8067164 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 19:01:03 +0000 Subject: [PATCH 04/32] moved comment to new security policy --- tls/s2n_security_policies.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 57797357145..93e834d84cc 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -32,7 +32,6 @@ const struct s2n_security_policy security_policy_20240501 = { }, }; -/* FIPS default as of 05/24 */ const struct s2n_security_policy security_policy_20240502 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_20240331, @@ -46,6 +45,7 @@ const struct s2n_security_policy security_policy_20240502 = { }, }; +/* FIPS default as of 05/25 */ const struct s2n_security_policy security_policy_20250416 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_20250422, From 7e92b5e3552a9b0901d6ffae0b046df03eaf74da Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 19:48:47 +0000 Subject: [PATCH 05/32] updated unit tests --- tests/unit/s2n_security_policies_test.c | 9 +++++---- tls/s2n_cipher_preferences.c | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 31d29e4240f..397e18369cf 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -822,8 +822,8 @@ int main(int argc, char **argv) /* default_tls13 is currently 20240503 */ EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240503, "rfc9151", ecdsa_sha384_chain_and_key)); - /* default_fips is currently 20240502 */ - EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240502, "rfc9151", ecdsa_sha384_chain_and_key)); + /* default_fips is currently 20250422 */ + EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250422, "rfc9151", ecdsa_sha384_chain_and_key)); EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250211, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_tls13 > 20250211 @@ -843,8 +843,8 @@ int main(int argc, char **argv) /* default_tls13 is currently 20240503 */ EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240503, "rfc9151", ecdsa_sha384_chain_and_key)); - /* default_fips is currently 20240502 */ - EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240502, "rfc9151", ecdsa_sha384_chain_and_key)); + /* default_fips is currently 20250422 */ + EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250422, "rfc9151", ecdsa_sha384_chain_and_key)); EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250414, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_tls13 > 20250414 (with either p-256 or p-384 cert) */ @@ -908,6 +908,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *versioned_policies[] = { &security_policy_20240416, &security_policy_20240502, + &security_policy_20250416, }; const struct s2n_supported_cert supported_certs[] = { diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c index 772843ab70c..4dc673e561b 100644 --- a/tls/s2n_cipher_preferences.c +++ b/tls/s2n_cipher_preferences.c @@ -331,6 +331,7 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = { * TLS1.3 support. * FIPS compliant. * No DHE (would require extra setup with s2n_config_add_dhparams) + * No CBC (no encrypt then MAC) */ struct s2n_cipher_suite *cipher_suites_20250422[] = { /* TLS1.2 with ECDSA */ From 6b7c90df4dc9f6d4a74b7807cd51a4365c7b7b19 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 19:52:14 +0000 Subject: [PATCH 06/32] fixed security policy bug --- tests/unit/s2n_security_policies_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 397e18369cf..1e9b6fa9a26 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -823,7 +823,7 @@ int main(int argc, char **argv) /* default_tls13 is currently 20240503 */ EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240503, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_fips is currently 20250422 */ - EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250422, "rfc9151", ecdsa_sha384_chain_and_key)); + EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250416, "rfc9151", ecdsa_sha384_chain_and_key)); EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250211, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_tls13 > 20250211 @@ -844,7 +844,7 @@ int main(int argc, char **argv) /* default_tls13 is currently 20240503 */ EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240503, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_fips is currently 20250422 */ - EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250422, "rfc9151", ecdsa_sha384_chain_and_key)); + EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250416, "rfc9151", ecdsa_sha384_chain_and_key)); EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250414, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_tls13 > 20250414 (with either p-256 or p-384 cert) */ From 24256b16b50f20c15fbeab22d5c2eddf92aa6642 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 20:40:22 +0000 Subject: [PATCH 07/32] revert back unit tests --- tests/unit/s2n_security_policies_test.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 1e9b6fa9a26..bb4a98f962d 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -822,8 +822,8 @@ int main(int argc, char **argv) /* default_tls13 is currently 20240503 */ EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240503, "rfc9151", ecdsa_sha384_chain_and_key)); - /* default_fips is currently 20250422 */ - EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250416, "rfc9151", ecdsa_sha384_chain_and_key)); + /* default_fips is currently 20240502 */ + EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240502, "rfc9151", ecdsa_sha384_chain_and_key)); EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250211, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_tls13 > 20250211 @@ -843,8 +843,8 @@ int main(int argc, char **argv) /* default_tls13 is currently 20240503 */ EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240503, "rfc9151", ecdsa_sha384_chain_and_key)); - /* default_fips is currently 20250422 */ - EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250416, "rfc9151", ecdsa_sha384_chain_and_key)); + /* default_fips is currently 20240502 */ + EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20240502, "rfc9151", ecdsa_sha384_chain_and_key)); EXPECT_OK(s2n_test_security_policies_compatible(&security_policy_20250414, "rfc9151", ecdsa_sha384_chain_and_key)); /* default_tls13 > 20250414 (with either p-256 or p-384 cert) */ From f6817d5559a20b9d78790d3ae1660008eb4f8010 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 20:44:00 +0000 Subject: [PATCH 08/32] removed space --- tls/s2n_security_policies.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 93e834d84cc..306b5fc6322 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -59,7 +59,6 @@ const struct s2n_security_policy security_policy_20250416 = { }, }; - /* TLS1.3 default as of 05/24 */ const struct s2n_security_policy security_policy_20240503 = { .minimum_protocol_version = S2N_TLS12, From 8d6400aef4208fa423c24a80159bbf7c35f4b304 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 20:48:49 +0000 Subject: [PATCH 09/32] default_fips now supports tls13 as well --- tests/unit/s2n_security_policies_test.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index bb4a98f962d..6f288d16809 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -289,7 +289,6 @@ int main(int argc, char **argv) { char tls12_only_security_policy_strings[][255] = { "default", - "default_fips", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-0-2015-05", "ELBSecurityPolicy-2016-08", From b39e63ea48d14e3d3788401c20357fd05231181c Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 21:43:33 +0000 Subject: [PATCH 10/32] tls1.3 is now supported by default --- tests/unit/s2n_tls13_support_test.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 9bf6b6809b7..58cf4b34658 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -33,7 +33,7 @@ int main(int argc, char **argv) /* TLS 1.3 is not used by default */ EXPECT_FALSE(s2n_use_default_tls13_config()); - /* TLS1.3 is not supported or configured by default */ + /* TLS1.3 is supported by default */ { /* Client does not support or configure TLS 1.3 */ { @@ -44,7 +44,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_SUCCESS(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; @@ -58,7 +58,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_SUCCESS(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; From 82919825211cd2be0e9193f447f442cd5227dc27 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 21:43:56 +0000 Subject: [PATCH 11/32] fixed comment --- tests/unit/s2n_tls13_support_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 58cf4b34658..476ad6ae043 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -35,7 +35,7 @@ int main(int argc, char **argv) /* TLS1.3 is supported by default */ { - /* Client does not support or configure TLS 1.3 */ + /* Client does support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); @@ -49,7 +49,7 @@ int main(int argc, char **argv) EXPECT_SUCCESS(s2n_connection_free(conn)); }; - /* Server does not support or configure TLS 1.3 */ + /* Server does support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); From 849210b7c0d6ccc2a55232a569ca2b65b0088e12 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 21:51:46 +0000 Subject: [PATCH 12/32] we shouldn't disable tls13 --- tests/unit/s2n_tls13_support_test.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 476ad6ae043..5819f04e710 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -28,7 +28,6 @@ int main(int argc, char **argv) { BEGIN_TEST(); - EXPECT_SUCCESS(s2n_disable_tls13_in_test()); /* TLS 1.3 is not used by default */ EXPECT_FALSE(s2n_use_default_tls13_config()); From f4137e3c04b3ce7df1315f27d5f32c1e3bca814a Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 21:55:12 +0000 Subject: [PATCH 13/32] tls 13 used by default --- tests/unit/s2n_tls13_support_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 5819f04e710..fde353bdbeb 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -29,8 +29,8 @@ int main(int argc, char **argv) { BEGIN_TEST(); - /* TLS 1.3 is not used by default */ - EXPECT_FALSE(s2n_use_default_tls13_config()); + /* TLS 1.3 is used by default */ + EXPECT_TRUE(s2n_use_default_tls13_config()); /* TLS1.3 is supported by default */ { From 1cb25b720a63cd393718bdcb1443d690b3951f34 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 22:02:11 +0000 Subject: [PATCH 14/32] tls13 is enabled by default --- tls/s2n_tls13.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tls/s2n_tls13.c b/tls/s2n_tls13.c index fad89bdbdd9..c6ebafa1ff8 100644 --- a/tls/s2n_tls13.c +++ b/tls/s2n_tls13.c @@ -19,7 +19,7 @@ #include "crypto/s2n_rsa_pss.h" #include "tls/s2n_tls.h" -bool s2n_use_default_tls13_config_flag = false; +bool s2n_use_default_tls13_config_flag = true; bool s2n_use_default_tls13_config() { From 76a66fd1e957af7f90a1577bc4724d898c21816e Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 22:17:15 +0000 Subject: [PATCH 15/32] protocol version and s2n tls13 --- tests/unit/s2n_tls13_support_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index fde353bdbeb..e020a86792a 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -39,7 +39,7 @@ int main(int argc, char **argv) struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); - EXPECT_NOT_EQUAL(conn->client_protocol_version, S2N_TLS13); + EXPECT_EQUAL(conn->client_protocol_version, S2N_TLS13); const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); @@ -53,7 +53,7 @@ int main(int argc, char **argv) struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); - EXPECT_NOT_EQUAL(conn->server_protocol_version, S2N_TLS13); + EXPECT_EQUAL(conn->server_protocol_version, S2N_TLS13); const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); From cdbb99f685848a005e7247355ccc5805dfa4691e Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 22:40:21 +0000 Subject: [PATCH 16/32] revert back to default and just turn on tls13 in test --- tests/unit/s2n_tls13_support_test.c | 2 +- tls/s2n_tls13.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index e020a86792a..b2b43878346 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -28,7 +28,7 @@ int main(int argc, char **argv) { BEGIN_TEST(); - + EXPECT_SUCCESS(s2n_enable_tls13_in_test()); /* TLS 1.3 is used by default */ EXPECT_TRUE(s2n_use_default_tls13_config()); diff --git a/tls/s2n_tls13.c b/tls/s2n_tls13.c index c6ebafa1ff8..fad89bdbdd9 100644 --- a/tls/s2n_tls13.c +++ b/tls/s2n_tls13.c @@ -19,7 +19,7 @@ #include "crypto/s2n_rsa_pss.h" #include "tls/s2n_tls.h" -bool s2n_use_default_tls13_config_flag = true; +bool s2n_use_default_tls13_config_flag = false; bool s2n_use_default_tls13_config() { From 6d355a65c07625599f68ffa718d6ed9fc017790d Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 23:24:11 +0000 Subject: [PATCH 17/32] should be true used to be false --- tests/unit/s2n_tls13_support_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index b2b43878346..1c59f95c7f7 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -43,7 +43,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_SUCCESS(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; @@ -57,7 +57,7 @@ int main(int argc, char **argv) const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_SUCCESS(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; From 3bf09c7761ab5a4554c6d490c7aafdd35140ecf2 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 7 May 2025 23:25:01 +0000 Subject: [PATCH 18/32] updated comment --- tls/s2n_cipher_preferences.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tls/s2n_cipher_preferences.c b/tls/s2n_cipher_preferences.c index 4dc673e561b..d9063c38190 100644 --- a/tls/s2n_cipher_preferences.c +++ b/tls/s2n_cipher_preferences.c @@ -331,7 +331,7 @@ const struct s2n_cipher_preferences cipher_preferences_20240331 = { * TLS1.3 support. * FIPS compliant. * No DHE (would require extra setup with s2n_config_add_dhparams) - * No CBC (no encrypt then MAC) + * No CBC ciphers */ struct s2n_cipher_suite *cipher_suites_20250422[] = { /* TLS1.2 with ECDSA */ From 8da17b941f5aa8bdabd22148b9014c92fb26e443 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Thu, 8 May 2025 20:37:30 +0000 Subject: [PATCH 19/32] test that tls13 enabled by default --- tests/unit/s2n_tls13_support_test.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 1c59f95c7f7..24ec2be1c83 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -28,8 +28,8 @@ int main(int argc, char **argv) { BEGIN_TEST(); - EXPECT_SUCCESS(s2n_enable_tls13_in_test()); - /* TLS 1.3 is used by default */ + // EXPECT_SUCCESS(s2n_enable_tls13_in_test()); + /* TLS 1.3 is not used by default unless s2n-tls is in FIPS mode */ EXPECT_TRUE(s2n_use_default_tls13_config()); /* TLS1.3 is supported by default */ From 684d131d0e4e7ffe83fa01ef4d9c316cdecf5000 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Thu, 8 May 2025 22:54:13 +0000 Subject: [PATCH 20/32] revert back to original test case --- tests/unit/s2n_tls13_support_test.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 24ec2be1c83..77624b71fc3 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -28,36 +28,37 @@ int main(int argc, char **argv) { BEGIN_TEST(); - // EXPECT_SUCCESS(s2n_enable_tls13_in_test()); - /* TLS 1.3 is not used by default unless s2n-tls is in FIPS mode */ - EXPECT_TRUE(s2n_use_default_tls13_config()); + EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - /* TLS1.3 is supported by default */ + /* TLS 1.3 is not used by default */ + EXPECT_FALSE(s2n_use_default_tls13_config()); + + /* TLS1.3 is not supported or configured by default except for default fibs */ { - /* Client does support or configure TLS 1.3 */ + /* Client does not support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); - EXPECT_EQUAL(conn->client_protocol_version, S2N_TLS13); - + EXPECT_NOT_EQUAL(conn->client_protocol_version, S2N_TLS13); + const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; - /* Server does support or configure TLS 1.3 */ + /* Server does not support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); - EXPECT_EQUAL(conn->server_protocol_version, S2N_TLS13); + EXPECT_NOT_EQUAL(conn->server_protocol_version, S2N_TLS13); const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); + EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); EXPECT_SUCCESS(s2n_connection_free(conn)); }; From cace6ca9e0b0f8f61e9e73cf1a2953bb69c2cb1b Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Thu, 8 May 2025 22:55:44 +0000 Subject: [PATCH 21/32] fixed spacing --- tests/unit/s2n_tls13_support_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 77624b71fc3..2f3adccd288 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -41,7 +41,7 @@ int main(int argc, char **argv) EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); EXPECT_NOT_EQUAL(conn->client_protocol_version, S2N_TLS13); - + const struct s2n_security_policy *security_policy = NULL; EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); EXPECT_FALSE(s2n_security_policy_supports_tls13(security_policy)); From 2f2504b4a8e48a51017409ff9b6e139a300fe699 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Fri, 9 May 2025 20:12:39 +0000 Subject: [PATCH 22/32] print statements testing --- tests/unit/s2n_tls13_support_test.c | 2 +- tls/s2n_config.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 2f3adccd288..5a9b2104a62 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -33,7 +33,7 @@ int main(int argc, char **argv) /* TLS 1.3 is not used by default */ EXPECT_FALSE(s2n_use_default_tls13_config()); - /* TLS1.3 is not supported or configured by default except for default fibs */ + /* TLS1.3 is not supported or configured by default except for default fips */ { /* Client does not support or configure TLS 1.3 */ { diff --git a/tls/s2n_config.c b/tls/s2n_config.c index 778dce920e8..f2ccc1ae59d 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -213,11 +213,15 @@ int s2n_config_build_domain_name_to_cert_map(struct s2n_config *config, struct s struct s2n_config *s2n_fetch_default_config(void) { if (s2n_use_default_tls13_config()) { + fprintf(stderr, "DEBUG: Using s2n_default_tls13_config\n"); return &s2n_default_tls13_config; } + // GOAL IS TO GET TO HERE? Currently returning true? if (s2n_is_in_fips_mode()) { + fprintf(stderr, "DEBUG: Using s2n_default_fips_config\n"); return &s2n_default_fips_config; } + fprintf(stderr, "DEBUG: Using s2n_default_config\n"); return &s2n_default_config; } From 4bd43012e46cb200d244f6d602f09d33acbdcd54 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Fri, 9 May 2025 23:16:22 +0000 Subject: [PATCH 23/32] Added unit test logic for different s2n builds --- tests/unit/s2n_tls13_support_test.c | 37 +++++++++++++++++++++++++---- tls/s2n_config.c | 1 - 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 5a9b2104a62..bf83d045a33 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -12,7 +12,7 @@ * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ - +#include "crypto/s2n_fips.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/extensions/s2n_cookie.h" @@ -28,12 +28,39 @@ int main(int argc, char **argv) { BEGIN_TEST(); - EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - /* TLS 1.3 is not used by default */ - EXPECT_FALSE(s2n_use_default_tls13_config()); + /* TLS1.3 is supported by default_fips */ + if (s2n_is_fips_enabled()){ + /* Client does support or configure TLS 1.3 */ + { + struct s2n_connection *conn = NULL; + EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); + + EXPECT_EQUAL(conn->client_protocol_version, S2N_TLS13); + + const struct s2n_security_policy *security_policy = NULL; + EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); + + EXPECT_SUCCESS(s2n_connection_free(conn)); + }; + + /* Server does support or configure TLS 1.3 */ + { + struct s2n_connection *conn = NULL; + EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); + + EXPECT_EQUAL(conn->server_protocol_version, S2N_TLS13); - /* TLS1.3 is not supported or configured by default except for default fips */ + const struct s2n_security_policy *security_policy = NULL; + EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); + EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); + + EXPECT_SUCCESS(s2n_connection_free(conn)); + }; + } + /* TLS1.3 is not supported by default */ + else { /* Client does not support or configure TLS 1.3 */ { diff --git a/tls/s2n_config.c b/tls/s2n_config.c index f2ccc1ae59d..49c44358dfd 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -216,7 +216,6 @@ struct s2n_config *s2n_fetch_default_config(void) fprintf(stderr, "DEBUG: Using s2n_default_tls13_config\n"); return &s2n_default_tls13_config; } - // GOAL IS TO GET TO HERE? Currently returning true? if (s2n_is_in_fips_mode()) { fprintf(stderr, "DEBUG: Using s2n_default_fips_config\n"); return &s2n_default_fips_config; From 652ec6132b54b828f8e77b824c5352c8dd0ec600 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Mon, 12 May 2025 18:50:23 +0000 Subject: [PATCH 24/32] changed to fips mode --- tests/unit/s2n_tls13_support_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index bf83d045a33..742fdd5f51c 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -30,7 +30,7 @@ int main(int argc, char **argv) BEGIN_TEST(); /* TLS1.3 is supported by default_fips */ - if (s2n_is_fips_enabled()){ + if (s2n_is_in_fips_mode()){ /* Client does support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; From 5854fcfe6959c8882561fcb26425aede4ac75853 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Mon, 12 May 2025 20:03:00 +0000 Subject: [PATCH 25/32] tls 13 disabled for false case --- tests/unit/s2n_tls13_support_test.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 742fdd5f51c..80c2691bef3 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -62,6 +62,11 @@ int main(int argc, char **argv) /* TLS1.3 is not supported by default */ else { + + EXPECT_SUCCESS(s2n_disable_tls13_in_test()); + + /* TLS 1.3 is not used by default */ + EXPECT_FALSE(s2n_use_default_tls13_config()); /* Client does not support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; From 0b6bee3c5ea27ee5ecd956866e6a30b8fa56b453 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Tue, 13 May 2025 21:50:10 +0000 Subject: [PATCH 26/32] restore default fips --- tests/unit/s2n_security_policies_test.c | 1 + tests/unit/s2n_tls13_support_test.c | 42 +++---------------------- tls/s2n_config.c | 3 -- tls/s2n_security_policies.c | 4 +-- tls/s2n_security_policies.h | 4 +-- 5 files changed, 9 insertions(+), 45 deletions(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 6f288d16809..bb4a98f962d 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -289,6 +289,7 @@ int main(int argc, char **argv) { char tls12_only_security_policy_strings[][255] = { "default", + "default_fips", "ELBSecurityPolicy-TLS-1-0-2015-04", "ELBSecurityPolicy-TLS-1-0-2015-05", "ELBSecurityPolicy-2016-08", diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index 80c2691bef3..b2538523108 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -12,7 +12,6 @@ * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ -#include "crypto/s2n_fips.h" #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/extensions/s2n_cookie.h" @@ -28,45 +27,12 @@ int main(int argc, char **argv) { BEGIN_TEST(); + + EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - /* TLS1.3 is supported by default_fips */ - if (s2n_is_in_fips_mode()){ - /* Client does support or configure TLS 1.3 */ - { - struct s2n_connection *conn = NULL; - EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT)); - - EXPECT_EQUAL(conn->client_protocol_version, S2N_TLS13); - - const struct s2n_security_policy *security_policy = NULL; - EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); - - EXPECT_SUCCESS(s2n_connection_free(conn)); - }; - - /* Server does support or configure TLS 1.3 */ - { - struct s2n_connection *conn = NULL; - EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER)); - - EXPECT_EQUAL(conn->server_protocol_version, S2N_TLS13); - - const struct s2n_security_policy *security_policy = NULL; - EXPECT_SUCCESS(s2n_connection_get_security_policy(conn, &security_policy)); - EXPECT_TRUE(s2n_security_policy_supports_tls13(security_policy)); - - EXPECT_SUCCESS(s2n_connection_free(conn)); - }; - } - /* TLS1.3 is not supported by default */ - else + /* TLS 1.3 is not used by default */ + EXPECT_FALSE(s2n_use_default_tls13_config()); { - - EXPECT_SUCCESS(s2n_disable_tls13_in_test()); - - /* TLS 1.3 is not used by default */ - EXPECT_FALSE(s2n_use_default_tls13_config()); /* Client does not support or configure TLS 1.3 */ { struct s2n_connection *conn = NULL; diff --git a/tls/s2n_config.c b/tls/s2n_config.c index 49c44358dfd..778dce920e8 100644 --- a/tls/s2n_config.c +++ b/tls/s2n_config.c @@ -213,14 +213,11 @@ int s2n_config_build_domain_name_to_cert_map(struct s2n_config *config, struct s struct s2n_config *s2n_fetch_default_config(void) { if (s2n_use_default_tls13_config()) { - fprintf(stderr, "DEBUG: Using s2n_default_tls13_config\n"); return &s2n_default_tls13_config; } if (s2n_is_in_fips_mode()) { - fprintf(stderr, "DEBUG: Using s2n_default_fips_config\n"); return &s2n_default_fips_config; } - fprintf(stderr, "DEBUG: Using s2n_default_config\n"); return &s2n_default_config; } diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index 1752e91c6c7..edb4ba95cdf 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -32,6 +32,7 @@ const struct s2n_security_policy security_policy_20240501 = { }, }; +/* FIPS default as of 05/24 */ const struct s2n_security_policy security_policy_20240502 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_20240331, @@ -45,7 +46,6 @@ const struct s2n_security_policy security_policy_20240502 = { }, }; -/* FIPS default as of 05/25 */ const struct s2n_security_policy security_policy_20250416 = { .minimum_protocol_version = S2N_TLS12, .cipher_preferences = &cipher_preferences_20250422, @@ -1268,7 +1268,7 @@ const struct s2n_security_policy security_policy_null = { struct s2n_security_policy_selection security_policy_selection[] = { { .version = "default", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, - { .version = "default_fips", .security_policy = &security_policy_20250416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_pq", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, diff --git a/tls/s2n_security_policies.h b/tls/s2n_security_policies.h index 4bbce40e757..caca706f071 100644 --- a/tls/s2n_security_policies.h +++ b/tls/s2n_security_policies.h @@ -96,12 +96,12 @@ extern struct s2n_security_policy_selection security_policy_selection[]; extern const char *deprecated_security_policies[]; extern const size_t deprecated_security_policies_len; -/* Defaults as of 05/25 */ -extern const struct s2n_security_policy security_policy_20250416; +/* Defaults as of 05/24 */ extern const struct s2n_security_policy security_policy_20240501; extern const struct s2n_security_policy security_policy_20240502; extern const struct s2n_security_policy security_policy_20240503; +extern const struct s2n_security_policy security_policy_20250416; extern const struct s2n_security_policy security_policy_20241106; extern const struct s2n_security_policy security_policy_20140601; extern const struct s2n_security_policy security_policy_20141001; From 43661cec9c5e3ff5d4002f34c13de9f345b4d399 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Tue, 13 May 2025 21:51:22 +0000 Subject: [PATCH 27/32] restore --- tests/unit/s2n_tls13_support_test.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/unit/s2n_tls13_support_test.c b/tests/unit/s2n_tls13_support_test.c index b2538523108..9bf6b6809b7 100644 --- a/tests/unit/s2n_tls13_support_test.c +++ b/tests/unit/s2n_tls13_support_test.c @@ -12,6 +12,7 @@ * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ + #include "s2n_test.h" #include "testlib/s2n_testlib.h" #include "tls/extensions/s2n_cookie.h" @@ -27,11 +28,12 @@ int main(int argc, char **argv) { BEGIN_TEST(); - EXPECT_SUCCESS(s2n_disable_tls13_in_test()); /* TLS 1.3 is not used by default */ EXPECT_FALSE(s2n_use_default_tls13_config()); + + /* TLS1.3 is not supported or configured by default */ { /* Client does not support or configure TLS 1.3 */ { From 0739a55949409b9cd54afef3b0884588acb16cea Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Tue, 13 May 2025 23:48:27 +0000 Subject: [PATCH 28/32] updated documentation --- docs/usage-guide/topics/ch06-security-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/usage-guide/topics/ch06-security-policies.md b/docs/usage-guide/topics/ch06-security-policies.md index b6a9f1fb941..b1fcdd896c7 100644 --- a/docs/usage-guide/topics/ch06-security-policies.md +++ b/docs/usage-guide/topics/ch06-security-policies.md @@ -63,7 +63,7 @@ In contrast, numbered or dated versions are fixed and will never change. The num * "default_tls13": "20240503" For previous defaults, see the "Default Policy History" section below. -"default_fips" does not currently support TLS1.3. If you need a policy that supports both FIPS and TLS1.3, choose "20230317". We plan to add TLS1.3 support to both "default" and "default_fips" in the future. +"default_fips" does not currently support TLS1.3. If you need a policy that supports both FIPS and TLS1.3, choose "20250422". We plan to add TLS1.3 support to both "default" and "default_fips" in the future. "rfc9151" is derived from [Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3](https://datatracker.ietf.org/doc/html/rfc9151). This policy restricts the algorithms allowed for signatures on certificates in the certificate chain to RSA or ECDSA with sha384, which may require you to update your certificates. Like the default policies, this policy may also change if the source RFC definition changes. From e8af4a010dc02372e5836276481690e0fa6efa21 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 14 May 2025 20:33:42 +0000 Subject: [PATCH 29/32] based off 20240502 --- docs/usage-guide/topics/ch06-security-policies.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/usage-guide/topics/ch06-security-policies.md b/docs/usage-guide/topics/ch06-security-policies.md index b1fcdd896c7..2e7e6bf2287 100644 --- a/docs/usage-guide/topics/ch06-security-policies.md +++ b/docs/usage-guide/topics/ch06-security-policies.md @@ -30,6 +30,7 @@ The following chart maps the security policy version to protocol version and cip | default | | | X | | X | X | | | | | X | | | default_fips | | | X | | X | X | | | | | X | | | default_tls13 | | | X | X | X | X | X | | | | X | | +| 20250422 | | | | X | | X | | | | | X | | | 20240501 | | | X | | X | X | | | | | X | | | 20240502 | | | X | | X | X | | | | | X | | | 20240503 | | | X | X | X | X | | | | | X | | @@ -88,6 +89,7 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly | default | X | X | | X | | default_fips | X | X | | X | | default_tls13 | X | X | | X | +| 20250422 | X | X | | X | | 20240501 | X | X | | X | | 20240502 | X | X | | X | | 20240503 | X | X | | X | @@ -123,6 +125,7 @@ s2n-tls usually prefers AES over ChaCha20. However, some clients-- particularly | default | X | X | X | | default_fips | X | X | | | default_tls13 | X | X | X | +| 20250422 | X | X | | | 20240501 | X | X | X | | 20240502 | X | X | | | 20240503 | X | X | X | From 0af658fc644aee77f42ccdeeaffcefe57d276834 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 14 May 2025 20:43:44 +0000 Subject: [PATCH 30/32] removed from default --- tests/unit/s2n_security_policies_test.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index bb4a98f962d..31d29e4240f 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -908,7 +908,6 @@ int main(int argc, char **argv) const struct s2n_security_policy *versioned_policies[] = { &security_policy_20240416, &security_policy_20240502, - &security_policy_20250416, }; const struct s2n_supported_cert supported_certs[] = { From 69032f88de2191fb1759c3528875dae2f5ca2d33 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 14 May 2025 21:05:11 +0000 Subject: [PATCH 31/32] add new security policy for testing --- tests/unit/s2n_security_policies_test.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 31d29e4240f..8048e82975d 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -346,6 +346,7 @@ int main(int argc, char **argv) "default_tls13", "test_all", "test_all_tls13", + "20250422", "20190801", "20190802", "KMS-TLS-1-2-2023-06", From 2c44a0db0b3bf32f02a6f5c728509b1609ad9a29 Mon Sep 17 00:00:00 2001 From: Jacob Jo Date: Wed, 14 May 2025 22:11:09 +0000 Subject: [PATCH 32/32] added to list of all security policies --- tests/unit/s2n_security_policies_test.c | 1 - tls/s2n_security_policies.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/s2n_security_policies_test.c b/tests/unit/s2n_security_policies_test.c index 8048e82975d..31d29e4240f 100644 --- a/tests/unit/s2n_security_policies_test.c +++ b/tests/unit/s2n_security_policies_test.c @@ -346,7 +346,6 @@ int main(int argc, char **argv) "default_tls13", "test_all", "test_all_tls13", - "20250422", "20190801", "20190802", "KMS-TLS-1-2-2023-06", diff --git a/tls/s2n_security_policies.c b/tls/s2n_security_policies.c index edb4ba95cdf..17545044b39 100644 --- a/tls/s2n_security_policies.c +++ b/tls/s2n_security_policies.c @@ -1270,6 +1270,7 @@ struct s2n_security_policy_selection security_policy_selection[] = { { .version = "default_tls13", .security_policy = &security_policy_20240503, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_fips", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "default_pq", .security_policy = &security_policy_20241001, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, + { .version = "20250416", .security_policy = &security_policy_20250416, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20241106", .security_policy = &security_policy_20241106, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20240501", .security_policy = &security_policy_20240501, .ecc_extension_required = 0, .pq_kem_extension_required = 0 }, { .version = "20240502", .security_policy = &security_policy_20240502, .ecc_extension_required = 0, .pq_kem_extension_required = 0 },