{"id":44625043,"url":"https://github.com/igor-kupczynski/fips-echo-server","last_synced_at":"2026-02-14T15:08:06.176Z","repository":{"id":57691697,"uuid":"224526191","full_name":"igor-kupczynski/fips-echo-server","owner":"igor-kupczynski","description":"Experiments with FIPS-compliant Golang crypto","archived":false,"fork":false,"pushed_at":"2023-10-25T21:28:53.000Z","size":46,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-06-20T08:03:21.553Z","etag":null,"topics":["boringcrypto","fips","golang"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/igor-kupczynski.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-27T22:17:38.000Z","updated_at":"2024-01-08T06:18:58.000Z","dependencies_parsed_at":"2024-06-20T07:01:19.714Z","dependency_job_id":"0c7f8434-542d-49da-985c-f4fc61c3ca66","html_url":"https://github.com/igor-kupczynski/fips-echo-server","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/igor-kupczynski/fips-echo-server","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/igor-kupczynski%2Ffips-echo-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/igor-kupczynski%2Ffips-echo-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/igor-kupczynski%2Ffips-echo-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/igor-kupczynski%2Ffips-echo-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/igor-kupczynski","download_url":"https://codeload.github.com/igor-kupczynski/fips-echo-server/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/igor-kupczynski%2Ffips-echo-server/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29447768,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T14:10:32.461Z","status":"ssl_error","status_checked_at":"2026-02-14T14:09:49.945Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["boringcrypto","fips","golang"],"created_at":"2026-02-14T15:08:05.581Z","updated_at":"2026-02-14T15:08:06.143Z","avatar_url":"https://github.com/igor-kupczynski.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# fips-echo-server\n\nExperiments with FIPS-compliant Golang crypto\n\nThis repo has a companion blog post, check https://kupczynski.info/posts/fips-golang/\n\n ## Http echo server\n\nWe have a simple http(s) echo server. It echos up to 140 characters of whatever you send it to it.\n\nYou can test it locally (assuming you have go toolchain installed).\n\nLet's build and run it (press `Ctrl+C` to stop):\n```sh\n$ go build .\n$ ./fips-echo-server\n2022/09/28 22:53:25 Listening on https://localhost:8443 with cert=certs/domain.pem and key=certs/domain.key\n```\n\nAnd then test it in another terminal:\n```sh\n$ curl --cacert certs/ca.pem https://localhost:8443 -d \"hello\"\nhello\n```\n\nNote that I'm embedding some self-signed certs in the `certs` folder. We need `--cacert certs/ca.pem` flag for curl to\ntrust them.\n\nYou can also run the tests:\n```sh\n$ go test ./...\n? \tgithub.com/igor-kupczynski/fips-echo-server\t[no test files]\n=== RUN TestServe\n=== RUN TestServe/Echo_the_message_back_to_the_client\n=== RUN TestServe/Limit_to_140_characters\n--- PASS: TestServe (0.04s)\n --- PASS: TestServe/Echo_the_message_back_to_the_client (0.02s)\n --- PASS: TestServe/Limit_to_140_characters (0.02s)\nPASS\nok \tgithub.com/igor-kupczynski/fips-echo-server/echo\t0.222s\n```\n\n## Dockerized version\n\nTo build/run independently of a local go toolchain we provide a [Dockerfile](./Dockerfile).\n\nIt is based on `golang`, which is the _official_ go toolchain image. Iit adds the project folder to `/app` in\nthe container and compiles it into a binary. Finally, it exposes the `:8443` port and sets the produced binary as\nthe default startup command for the container.\n\nWe have a [`Makefile`](./Makefile) to save us some typing. Check it out for the exact commands.\n\nWe can build the docker container:\n```sh\n$ make build\n[+] Building 1.0s (10/10) FINISHED\n..\n =\u003e =\u003e naming to docker.io/library/fips-echo-server:go1.18.6\n```\n\nRun the tests within the container:\n```sh\n$ make test\n? \tgithub.com/igor-kupczynski/fips-echo-server\t[no test files]\n=== RUN TestServe\n=== RUN TestServe/Echo_the_message_back_to_the_client\n=== RUN TestServe/Limit_to_140_characters\n--- PASS: TestServe (0.04s)\n --- PASS: TestServe/Echo_the_message_back_to_the_client (0.02s)\n --- PASS: TestServe/Limit_to_140_characters (0.02s)\nPASS\nok \tgithub.com/igor-kupczynski/fips-echo-server/echo\t0.045s\n```\n\nAnd finally run the container with the echo server:\n```sh\n$ make run\n2022/09/28 20:54:35 Listening on https://0.0.0.0:8443 with cert=certs/domain.pem and key=certs/domain.key\n```\n\nThe main motivation for the dockerized build \u0026 run in the repo is to demonstrate the FIPS compliant go toolchain.\nIt will save us the hassle of setting it latter.\n\n## TLS setup\n\nSuggested reading from Cloudflare on the subject —\n[_So you want to expose Go on the Internet_](https://blog.cloudflare.com/exposing-go-on-the-internet/).\n\nWhat are the ciphers we use by default? To test that we'll use the [`testssl.sh`](https://github.com/drwetter/testssl.sh)\nscript.\n\n```sh\n# not in the project directory\n$ git clone git@github.com:drwetter/testssl.sh.git\n$ cd testssl.sh\n$ ./testssl.sh localhost:8443\n...\n Testing server's cipher preferences \n\nHexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)\n-----------------------------------------------------------------------------------------------------------------------------\nSSLv2\n - \nSSLv3\n - \nTLSv1 (server order)\n xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \n xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \n x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA \n x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA \n xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 521 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \n x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA \nTLSv1.1 (server order)\n xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \n xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \n x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA \n x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA \n xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 521 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \n x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA \nTLSv1.2 (server order -- server prioritizes ChaCha ciphers when preferred by clients)\n xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 521 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \n xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 521 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \n xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 521 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \n xc013 ECDHE-RSA-AES128-SHA ECDH 521 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \n xc014 ECDHE-RSA-AES256-SHA ECDH 521 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA \n x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 \n x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 \n x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA \n x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA \n xc012 ECDHE-RSA-DES-CBC3-SHA ECDH 521 3DES 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \n x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA \nTLSv1.3 (no server order, thus listed by strength)\n x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 \n x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 \n x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 \n\n Has server cipher order? yes (OK) -- only for \u003c TLS 1.3\n Negotiated protocol TLSv1.3\n Negotiated cipher TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)\n...\n```\n\n`testssl.sh` presents a long report, but for us the important part is given above. By default, go 1.18 supports\nTLSv1.0--TLSv1.3.\n\nLet's be more strict here and select only the\n[protocols and ciphers recommended by Mozilla for a _modern_ configuration](https://wiki.mozilla.org/Security/Server_Side_TLS).\n\n_You can also add the args to `CMD` in `Dockerfile`_.\n\n```sh\n$ ./fips-echo-server -tlsVersion TLSv1.3 -tlsCiphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256\n```\n\nThis results is:\n```sh\n...\n Testing server's cipher preferences \n\nHexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)\n-----------------------------------------------------------------------------------------------------------------------------\nSSLv2\n - \nSSLv3\n - \nTLSv1\n - \nTLSv1.1\n - \nTLSv1.2\n - \nTLSv1.3 (no server order, thus listed by strength)\n x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 \n x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 \n x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 \n\n Has server cipher order? no (TLS 1.3 only)\n Negotiated protocol TLSv1.3\n Negotiated cipher TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) (limited sense as client will pick)\n```\n\n## FIPS compliant version\n\nPlease check the\n[`boringcrypto-1.18` branch](https://github.com/igor-kupczynski/fips-echo-server/compare/main-1.18...boringcrypto-1.18)\nbranch for details. Compare it with the current one to find the changes needed to support a FIPS mode in our app.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Figor-kupczynski%2Ffips-echo-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Figor-kupczynski%2Ffips-echo-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Figor-kupczynski%2Ffips-echo-server/lists"}