crypto/tls: document FIPS 140-3 mode behavior

Change-Id: I6a6a465612cf76d148b9758ee3fcdc8606497830 Reviewed-on: https://go-review.googlesource.com/c/go/+/648835 Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com>
2025-08-22 14:38:35 +00:00 · 2025-05-10 15:28:42 -04:00 · 2025-05-10 15:28:42 -04:00 · 9caf3f4dfc
commit 9caf3f4dfc
parent 34e6b086a0
1 changed files with 13 additions and 1 deletions
--- a/tls.go
+++ b/tls.go
@ -2,8 +2,20 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE-Go file.

-// Server side implementation of REALITY protocol, a fork of package tls in Go 1.20.
+// Server side implementation of REALITY protocol, a fork of package tls in latest Go.
 // For client side, please follow https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go.
+
+// Package tls partially implements TLS 1.2, as specified in RFC 5246,
+// and TLS 1.3, as specified in RFC 8446.
+//
+// # FIPS 140-3 mode
+//
+// When the program is in [FIPS 140-3 mode], this package behaves as if
+// only protocol versions, cipher suites, signature algorithms, and
+// key exchange algorithms approved by NIST SP 800-52r2 are implemented.
+// Others are silently ignored and not negotiated.
+//
+// [FIPS 140-3 mode]: https://go.dev/doc/security/fips140
 package reality

 // BUG(agl): The crypto/tls package only implements some countermeasures