Skip to content

refactor: Adds tls13 ciphersuites to default/default_fips policy #5560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

refactor: Adds tls13 ciphersuites to default/default_fips policy #5560

wants to merge 5 commits into from

Conversation

@maddeleine
Copy link
Contributor

@maddeleine maddeleine commented Oct 13, 2025
edited
Loading

Release Summary:

Multiple changes to the s2n-tls default policy:

  1. Added TLS13 support
  2. Added Post-Quantum key exchange
  3. Removed CBC ciphersuites

Resolved issues:

resolves #4765

Description of changes:

Creates two new security policies that are duplicates of "default" and "default_fips" except their ciphersuites list includes TLS1.3 ciphersuites, they now support PQ key exchange, and they now do not support CBC ciphersuites.

Note that "default" ciphersuite list supports chachapoly, but "default_fips" does not, as that ciphersuite is not fips.

Call-outs:

We are going to have to override and merge this change. This is because the cross-compatability tests for s2n clients(test_s2n_old_client_new_ticket/test_s2n_new_client_old_ticket) are correctly failing for this change. Essentially, because default previously only negotiated tls1.2, and now negotiates tls1.3, you're going to get failing resumption for the cross compat tests. You can't resume with a tls1.2 ticket on a tls1.3 connection, and you can't resume with a tls1.3 ticket on a tls1.2 connection.
If you want to know why only the client tests are failing in the cross-compat test and not the servers, the reason is that we switched the client tests to using "default" policies a while back, without also doing the same for the server tests. This means that the client tests are affected by "default" changes whereas the server tests are not.

Testing:

All other tests pass CI.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Oct 13, 2025
jmayclin
jmayclin reviewed Oct 16, 2025
View reviewed changes
@maddeleine maddeleine requested a review from jmayclin October 23, 2025 23:14
jmayclin
jmayclin approved these changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@jmayclin jmayclin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, with the nit that we also add the dated versions of the policies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmayclin jmayclin jmayclin approved these changes

@CarolYeh910 CarolYeh910 CarolYeh910 approved these changes

Assignees

No one assigned

Labels

s2n-core team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Tracking issue: Update "default" and "default_fips" to support TLS1.3

3 participants

@maddeleine @jmayclin @CarolYeh910