Facing issue tls: FIPS 140-3 requires the use of Extended Master Secret

Question

We have a proxy service to connect to AWS RDS and aurora databases and it has FIPS support . Docker file is built using `CGO_ENABLED=1 GOEXPERIMENT=boringcrypto`. While we were using go version 1.24.13 dint face any issue with password based connection to database .Post upgrading to 1.25.7 we are seeing error FIPS 140-3 requires the use of Extended Master Secret while using password based connectivity. Where as IAM based connectivity works well.

Sonu_S · Answer

Hello Deepika

Thank you for providing details regarding your concern

As you are aware When FIPS 140-3 mode is enabled, Extended Master Secret is now required in TLS 1.2, and Ed25519 and X25519MLKEM768 are now allowed.

[+] https://go.dev/doc/go1.25

Further while using RDS Proxy Go 1.24 connectivity is working for you whereas with GO 1.25 it is failing.

RDS PostgreSQL do support TLS with Extended Master Secret (EMS). This is evidenced by the PostgreSQL 16.1 release notes which indicate two critical changes: implementation of a FIPS version of aws-lc and support for TLS 1.3 protocol settings. TLS 1.3 inherently includes EMS functionality as part of its protocol specification.

[+] https://docs.aws.amazon.com/AmazonRDS/latest/PostgreSQLReleaseNotes/postgresql-versions.html#postgresql-versions-version161

Kindly try your connectivity with Postgres 16.1+ database or you can upgrade you current database.

To get details related to your specific instance and your account, you can reachout to us AWS Support through a case.

And we can accordingly assist you for your concern.

Facing issue tls: FIPS 140-3 requires the use of Extended Master Secret

Add your answer

Relevant content