Go now has a built-in, native FIPS 140-3 compliant mode.

GoLang is an open-source programming language developed by Google, known for its simplicity, concurrency support, and performance. Developers can learn about GoLang's syntax, standard library, and concurrency primitives to build efficient and scalable software applications for various domains.

Go 1.24 introduces native FIPS 140-3 compliance with a built-in cryptographic module that eliminates the need for unsupported solutions like Go+BoringCrypto. The module integrates transparently into applications, can be enabled with the fips140=on GODEBUG option, and supports cross-compilation without cgo dependencies. It has been validated by Geomys across 23 operating environments and covers all FIPS 140-3 approved algorithms in the standard library, including post-quantum ML-KEM. The implementation prioritizes security by maintaining features like hedged ECDSA signatures and kernel-sourced randomness while meeting compliance requirements.

The FIPS 140-3 Go Cryptographic Module

<p>And yet, you still can’t force AES256 in TLS1.3 connections between a Go client and a Go server… AES128 has uncontrollable higher priority, because f*ck your secrets.</p>
