Skip to content

25.3.8-fips: restrict TLS 1.3 ciphersuites to FIPS-approved algorithms #1562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mkmkme wants to merge 2 commits into
base: releases/25.3.8-fips
Choose a base branch
from
Open

25.3.8-fips: restrict TLS 1.3 ciphersuites to FIPS-approved algorithms #1562

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2ff0082
restrict TLS 1.3 ciphersuites to FIPS-approved algorithms
mkmkme Mar 20, 2026
f0ceaeb
fixed a comment
mkmkme Mar 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions base/poco/NetSSL_OpenSSL/include/Poco/Net/Context.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,11 @@ namespace Net
/// Specifies the supported ciphers in OpenSSL notation.
/// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:!3DES:@STRENGTH".

std::string cipherSuites;
/// Specifies the supported TLSv1.3 ciphersuites in OpenSSL notation.
/// Defaults to "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
/// (FIPS-approved ciphersuites only).

std::string dhParamsFile;
/// Specifies a file containing Diffie-Hellman parameters.
/// If empty, the default parameters are used.
Expand Down
7 changes: 6 additions & 1 deletion base/poco/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ namespace Net
/// <verificationDepth>1..9</verificationDepth>
/// <loadDefaultCAFile>true|false</loadDefaultCAFile>
/// <cipherList>ALL:!ADH:!LOW:!EXP:!MD5:!3DES:@STRENGTH</cipherList>
/// <cipherSuites>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384</cipherSuites>
/// <preferServerCiphers>true|false</preferServerCiphers>
/// <privateKeyPassphraseHandler>
/// <name>KeyFileHandler</name>
Expand Down Expand Up @@ -119,7 +120,9 @@ namespace Net
/// will fail if a certificate chain larger than this is encountered.
/// - loadDefaultCAFile (boolean): Specifies whether the builtin CA certificates from OpenSSL are used.
/// - cipherList (string): Specifies the supported ciphers in OpenSSL notation
/// (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH").
/// (e.g. "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"). Only applies to TLSv1.2 and below.
/// - cipherSuites (string): Specifies the supported TLSv1.3 ciphersuites in OpenSSL notation.
/// Defaults to "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256" (FIPS-approved ciphersuites only).
/// - preferServerCiphers (bool): When choosing a cipher, use the server's preferences instead of the
/// client preferences. When not called, the SSL server will always follow the clients
/// preferences. When called, the SSL/TLS server will choose following its own
Expand Down Expand Up @@ -278,6 +281,8 @@ namespace Net
static const std::string CFG_CIPHER_LIST;
static const std::string CFG_CYPHER_LIST; // for backwards compatibility
static const std::string VAL_CIPHER_LIST;
static const std::string CFG_CIPHER_SUITES;
static const std::string VAL_CIPHER_SUITES;
static const std::string CFG_PREFER_SERVER_CIPHERS;
static const std::string CFG_DELEGATE_HANDLER;
static const std::string VAL_DELEGATE_HANDLER;
Expand Down
4 changes: 3 additions & 1 deletion base/poco/NetSSL_OpenSSL/src/Context.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ Context::Params::Params():
verificationMode(VERIFY_RELAXED),
verificationDepth(9),
loadDefaultCAs(false),
cipherList("ALL:!ADH:!LOW:!EXP:!MD5:!3DES:@STRENGTH")
cipherList("ALL:!ADH:!LOW:!EXP:!MD5:!3DES:@STRENGTH"),
cipherSuites("TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256")
{
}

Expand Down Expand Up @@ -322,6 +323,7 @@ void Context::init(const Params& params)
SSL_CTX_set_verify(_pSSLContext, params.verificationMode, &SSLManager::verifyClientCallback);

SSL_CTX_set_cipher_list(_pSSLContext, params.cipherList.c_str());
SSL_CTX_set_ciphersuites(_pSSLContext, params.cipherSuites.c_str());
SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
Expand Down
3 changes: 3 additions & 0 deletions base/poco/NetSSL_OpenSSL/src/SSLManager.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ const bool SSLManager::VAL_ENABLE_DEFAULT_CA(true);
const std::string SSLManager::CFG_CIPHER_LIST("cipherList");
const std::string SSLManager::CFG_CYPHER_LIST("cypherList");
const std::string SSLManager::VAL_CIPHER_LIST("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
const std::string SSLManager::CFG_CIPHER_SUITES("cipherSuites");
const std::string SSLManager::VAL_CIPHER_SUITES("TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256");
const std::string SSLManager::CFG_PREFER_SERVER_CIPHERS("preferServerCiphers");
const std::string SSLManager::CFG_DELEGATE_HANDLER("privateKeyPassphraseHandler.name");
const std::string SSLManager::VAL_DELEGATE_HANDLER("KeyConsoleHandler");
Expand Down Expand Up @@ -275,6 +277,7 @@ void SSLManager::initDefaultContext(bool server)
params.loadDefaultCAs = config.getBool(prefix + CFG_ENABLE_DEFAULT_CA, VAL_ENABLE_DEFAULT_CA);
params.cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST);
params.cipherList = config.getString(prefix + CFG_CYPHER_LIST, params.cipherList); // for backwards compatibility
params.cipherSuites = config.getString(prefix + CFG_CIPHER_SUITES, VAL_CIPHER_SUITES);
bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
Expand Down
1 change: 1 addition & 0 deletions src/Server/PostgreSQLHandler.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ PostgreSQLHandler::PostgreSQLHandler(
params.cipherList = config.getString(prefix + Poco::Net::SSLManager::CFG_CIPHER_LIST, Poco::Net::SSLManager::VAL_CIPHER_LIST);
params.cipherList
= config.getString(prefix + Poco::Net::SSLManager::CFG_CYPHER_LIST, params.cipherList); // for backwards compatibility
params.cipherSuites = config.getString(prefix + Poco::Net::SSLManager::CFG_CIPHER_SUITES, Poco::Net::SSLManager::VAL_CIPHER_SUITES);

bool require_tlsv1 = config.getBool(prefix + Poco::Net::SSLManager::CFG_REQUIRE_TLSV1, false);
bool require_tlsv1_1 = config.getBool(prefix + Poco::Net::SSLManager::CFG_REQUIRE_TLSV1_1, false);
Expand Down
1 change: 1 addition & 0 deletions src/Server/TLSHandler.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ DB::TLSHandler::TLSHandler(
params.loadDefaultCAs = config.getBool(prefix + SSLManager::CFG_ENABLE_DEFAULT_CA, SSLManager::VAL_ENABLE_DEFAULT_CA);
params.cipherList = config.getString(prefix + SSLManager::CFG_CIPHER_LIST, SSLManager::VAL_CIPHER_LIST);
params.cipherList = config.getString(prefix + SSLManager::CFG_CYPHER_LIST, params.cipherList); // for backwards compatibility
params.cipherSuites = config.getString(prefix + SSLManager::CFG_CIPHER_SUITES, SSLManager::VAL_CIPHER_SUITES);

bool require_tlsv1 = config.getBool(prefix + SSLManager::CFG_REQUIRE_TLSV1, false);
bool require_tlsv1_1 = config.getBool(prefix + SSLManager::CFG_REQUIRE_TLSV1_1, false);
Expand Down
Loading