[8.19] (backport #7912) [FIPS] Ensure that Agent cannot present a client-side TLS certificate created with a RSA keypair of less than 2048 bits length#8040
Merged
Conversation
… created with a RSA keypair of less than 2048 bits length (#7912) * Adding test for unsupported TLS versions sent by client * Add TODO for second test * Add test case for multiple versions * Removing unused code * Add test for config hosts validation * Remove hosts validation * Refactoring test cases to take in any TLS configuration, not just versions * Add test for RSA keypair with < 2048 key length * Updating comment * Add test case for using certificate with RSA keypair < 2048 bits * Adding test data files * Revert test scope * Update test to fail on handshake * Rename agent key and cert for clarity * Adding test case with secure Agent certificate * Adding README to testdata folder to explain manual generation of keys+certs * Reverting unintended changes from conflict resolution * Removing irrelevant integration test * Remove unused variables * Remove CA private key * Renaming root -> CA for clarity * Rename files and variable to make purpose clearer * Adding .gitignore for CA private key file * Introduce GoDebugFIPS140() function * Separate test cases based on GODEBUG=fips140= value * Rename test cases for clarity * Remove test cases for GODEBUG=fips140=on * Adjust test cases to assume upstream Go instead of Microsoft Go * Be explicit in all constant types * Fix data race (cherry picked from commit 0eb4f0f)
mergify
Bot
requested review from
pchila and
ycombinator
and removed request for
a team
github-actions
Bot
added
enhancement
Contributor
|
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane) |
ycombinator
approved these changes
Apr 29, 2025
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR ensures that
remote.Clients created with a configuration containing a client-side TLS certificate generated from an RSA keypair < 2048 bits in length cannot be created in FIPS mode.Why is it important?
FIPS-140 does not allow use of RSA with keylengths < 2048 bits.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesI have added an entry in./changelog/fragmentsusing the changelog toolI have added an integration test or an E2E testDisruptive User Impact
Users using FIPS-capable Elastic Agents with client-side TLS certificates that are generated with RSA, must generate the RSA keypairs with a minimum of 2048 bits key lengths.
This is an automatic backport of pull request #7912 done by [Mergify](https://mergify.com).