According to #4477 (comment), #4477 (comment), #4477 (comment)
When testing this, we do not need both the client & server to be FIPS enabled to have a valid TLS connection, just care about the part you control to be in FIPS mode.
PR #4373 (enable FIPS on client) covers the test that Ignition config fetch file from the FIPS-compliant nginx, we need to add a negative test, that verifies that attempting to use algorithms that aren't FIPS compliant nginx will make the connection fail.
The steps are:
- On server side (none FIPS):
Build nginx container, add ssl_ecdh_curve X25519 in nginx.conf, that means: When a client connects, I want to use the X25519 curve to negotiate the encryption keys (that is none FIPS-compliant).
Run nginx
- On client (enable FIPS):
Start with FIPS enabled, use ignition to fetch file from server failed
See the details in https://hackmd.io/6KV-LsE3QReu34nQQOgruA?view
According to #4477 (comment), #4477 (comment), #4477 (comment)
When testing this, we do not need both the client & server to be FIPS enabled to have a valid TLS connection, just care about the part you control to be in FIPS mode.
PR #4373 (enable FIPS on client) covers the test that Ignition config fetch file from the FIPS-compliant nginx, we need to add a negative test, that verifies that attempting to use algorithms that aren't FIPS compliant nginx will make the connection fail.
The steps are:
Build nginx container, add
ssl_ecdh_curve X25519in nginx.conf, that means: When a client connects, I want to use theX25519curve to negotiate the encryption keys (that is none FIPS-compliant).Run nginx
Start with FIPS enabled, use ignition to fetch file from server failed
See the details in https://hackmd.io/6KV-LsE3QReu34nQQOgruA?view