Go version
go version go1.25.0 linux/amd64
Output of go env in your module/workspace:
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/dummy/.cache/go-build'
GOCACHEPROG=''
GODEBUG='fips140=only'
GOENV='/home/dummy/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3735951820=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/home/dummy/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/dummy/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/dummy/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.25.0'
GOWORK=''
PKG_CONFIG='pkg-config'
GOROOT/bin/go version: go version go1.25.0 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.25.0
uname -sr: Linux 5.15.0-97-generic
Distributor ID: Ubuntu
Description: Ubuntu 22.04.5 LTS
Release: 22.04
Codename: jammy
/lib/x86_64-linux-gnu/libc.so.6: GNU C Library (Ubuntu GLIBC 2.35-0ubuntu3.8) stable release version 2.35.
gdb --version: GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1
</pre></details>
What did you do?
package main
import (
"crypto/tls"
"fmt"
"io"
"net/http"
)
func main() {
tlsConfig := &tls.Config{}
transport := &http.Transport{
TLSClientConfig: tlsConfig,
}
client := &http.Client{Transport: transport}
resp, err := client.Get("https://bing.com:443")
if err != nil {
panic("failed to connect: " + err.Error())
}
defer resp.Body.Close()
content, err := io.ReadAll(resp.Body)
if err != nil {
panic("failed to read: " + err.Error())
}
fmt.Println(string(content))
}
What did you see happen?
For the above test code:
$ export GODEBUG="fips140=only"; go run test.go
panic: failed to connect: Get "https://bing.com:443": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
goroutine 1 [running]:
main.main()
/home/dummy/code/test.go:20 +0x226
exit status 2
What did you expect to see?
The test code works in Go 1.24.6. But the use of X25519 is not allowed in FIPS 140-only mode in Go 1.24.6 already https://cs.opensource.google/go/go/+/refs/tags/go1.24.6:src/crypto/ecdh/x25519.go .
How should we understand this behavioral change? What should we do to make the above test code can run in the fips140=only mode?
Go version
go version go1.25.0 linux/amd64
Output of
go envin your module/workspace:What did you do?
What did you see happen?
For the above test code:
What did you expect to see?
The test code works in Go 1.24.6. But the use of X25519 is not allowed in FIPS 140-only mode in Go 1.24.6 already https://cs.opensource.google/go/go/+/refs/tags/go1.24.6:src/crypto/ecdh/x25519.go .
How should we understand this behavioral change? What should we do to make the above test code can run in the fips140=only mode?