Change to Envoy FIPS builds

30 views
Skip to first unread message

Ryan Hamilton

unread,
Mar 11, 2025, 5:50:29 PMMar 11
to envoy-secur...@googlegroups.com, envoy-users

TL;DR Envoy will be changing the BoringSSL version used when generating FedRAMP-compliant builds.


The FedRAMP board recently published a new policy saying that it’s not just allowed but preferred that projects use an “update stream” which does not strictly limit itself to versions that have passed the (extremely slow) validation process. BoringSSL has updated their project documentation to reference this and clarify that their “update stream” is the main branch. As a result, in two weeks Envoy will be switching or FIPS builds from the pinned FIPS-validated version of BoringSSL to instead use the “update stream” main BoringSSL version. This will mean both FIPS and non-FIPS builds of Envoy will use the same BoringSSL version.

We believe this will not present any compliance issues, but from an abundance of caution wanted to announce this change before we made it.

Cheers,


Ryan (on behalf of Envoy Maintainers)

Reply all
Reply to author
Forward
0 new messages