Using FIPS-compliant boring Go to connect to

Summary - Trying Boring Go in FIPS mode to connect to Microsoft services (Azure). Intermediate CA Certificate for Microsoft has a 4096 bit public key that is not allowed by Boring Go (Code here ), Is there any workaround without having to turn off FIPS mode ?

go version go1.14b4 linux/amd64

Hi all,
So I am working on an application that requires to be run in FIPS mode and has to connect to Azure services. I looked up the boring Go branch, got version 1.14 and started using it.
While trying to connect to Azure services (for eg. graph[dot]microsoft[dot]com or even microsoft[dot]com), I was getting an incompatible certificate usage issue. Here is the sample code I am using -
`package main

import (
        _ "crypto/tls/fipsonly" //Code works without this but we need the application to run in FIPS
func main() {
        url := "https: //" //Space put here because of two link limit
        fmt.Printf("HTML code of %s ...\n", url)
        client := &http.Client{}
        resp, err := client.Get(url)
        if err != nil {
        defer resp.Body.Close()
        html, err := ioutil.ReadAll(resp.Body)
        if err != nil {
        fmt.Printf("%s\n", html)

The error I get is as follows -
HTML code of https: // ... panic: Get "": x509: certificate specifies an incompatible key usage goroutine 1 [running]: main.main() /usr/local/go/bin/test.go:15 +0x26c exit status 2

I checked the golang code and found that a certificate with a 4096 bit public key is not a valid certificate according to the IsBoringCertificate function The intermediate certificate in Microsoft’s Certificate Chain has a 4096 bit public key.

So, my question is as follows :

  1. Is this intended behavior ?
  2. If yes, is here any workaround via which I can keep FIPS mode on and connect to these services ? This workaround can be code changes or using different tools. However, I can’t turn off FIPS mode.

Thanks for going through this !

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.