Summary
efs-proxy in efs-utils 2.3.0+ contains a hardcoded FIPS policy (FIPS_COMPLIANT_POLICY_VERSION = "20230317") that causes TLS mount failures in non-US AWS regions due to ECDHE key generation incompatibility, while the same mounts work with stunnel.
Expected Behavior
TLS mounts should work consistently across all AWS regions, respecting the fips_mode_enabled configuration in /etc/amazon/efs/efs-utils.conf.
Root Cause Analysis
In src/proxy/src/tls.rs, efs-proxy contains a hardcoded FIPS policy:
const FIPS_COMPLIANT_POLICY_VERSION: &str = "20230317";
This policy is applied when tls_config.fips_enabled is true, regardless of the fips_mode_enabled setting in efs-utils.conf. The hardcoded US FIPS cryptographic requirements are incompatible with non-US regional compliance frameworks.
Environment
- efs-utils version: 2.3.3
- Regression seems to be introduced in: efs-utils v2.3.0 (April 17, 2025)
- Last working version: efs-utils v2.2.0 (November 13, 2024)
- Platform: Amazon Linux 2, Kubernetes (EFS CSI Driver)
- Affected regions: Non-US regions (tested in eu-west-1)
- Working regions: US regions (us-east-1, us-west-2)
Summary
efs-proxy in efs-utils 2.3.0+ contains a hardcoded FIPS policy (
FIPS_COMPLIANT_POLICY_VERSION = "20230317") that causes TLS mount failures in non-US AWS regions due to ECDHE key generation incompatibility, while the same mounts work with stunnel.Expected Behavior
TLS mounts should work consistently across all AWS regions, respecting the
fips_mode_enabledconfiguration in/etc/amazon/efs/efs-utils.conf.Root Cause Analysis
In
src/proxy/src/tls.rs, efs-proxy contains a hardcoded FIPS policy:This policy is applied when
tls_config.fips_enabledis true, regardless of thefips_mode_enabledsetting in efs-utils.conf. The hardcoded US FIPS cryptographic requirements are incompatible with non-US regional compliance frameworks.Environment