fix: separate cipher suites and curve preferences into FIPS and non FIPS, and use them accordingly (#3523)

See: https://github.com/project-zot/zot/actions/runs/19209741002/job/54910194536 `failed to ping registry localhost:11448: Get "https://localhost:11448/v2/": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode` Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
2026-06-17 21:17:58 +08:00 · 2025-11-10 23:24:59 +02:00
parent b64add7715
commit a8a6d3be9e
3 changed files with 244 additions and 17 deletions
@@ -12,7 +12,15 @@ permissions: read-all
 jobs:
  tls-check:
    runs-on: ubuntu-latest
-    name: TLS check
+    strategy:
+      matrix:
+        mode: [non-fips, fips]
+        include:
+          - mode: non-fips
+            godebug: ""
+          - mode: fips
+            godebug: "fips140=only"
+    name: TLS check (${{ matrix.mode }})
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v6
@@ -25,15 +33,31 @@ jobs:
          mkdir -p test/data
          cd test/data
          ../scripts/gen_certs.sh
-      - name: Check for TLS settings
+      - name: Build binary
        run: |
          cd $GITHUB_WORKSPACE
          make binary
+      - name: Start zot server (${{ matrix.mode }})
+        run: |
+          cd $GITHUB_WORKSPACE
+          if [[ -n "${{ matrix.godebug }}" ]]; then
+            export GODEBUG="${{ matrix.godebug }}"
+          fi
          bin/zot-linux-amd64 serve examples/config-tls.json & echo $! > zot.PID
+          if [[ -n "${{ matrix.godebug }}" ]]; then
+            unset GODEBUG
+          fi
          sleep 5
          # Check if zot server is running
          cat /proc/$(cat zot.PID)/status | grep State || exit 1
          curl -k --connect-timeout 3 --max-time 5 --retry 60 --retry-delay 1 --retry-max-time 180 --retry-connrefused https://localhost:8080/v2/
-
-          # zot server is running: proceed to testing
+      - name: Run TLS tests (${{ matrix.mode }})
+        run: |
+          cd $GITHUB_WORKSPACE
          ./test/scripts/tls_scan.sh
+          ./test/scripts/tls_cipher_check.sh ${{ matrix.mode }} localhost:8080
+      - name: Cleanup
+        if: always()
+        run: |
+          cd $GITHUB_WORKSPACE
+          [[ -f zot.PID ]] && kill $(cat zot.PID) 2>/dev/null || true