efs-proxy hardcoded FIPS policy causes ECDHE key generation failures in non-US regions

[mugdha-adhav]

Summary

efs-proxy in efs-utils 2.3.0+ contains a hardcoded FIPS policy (FIPS_COMPLIANT_POLICY_VERSION = "20230317") that causes TLS mount failures in non-US AWS regions due to ECDHE key generation incompatibility, while the same mounts work with stunnel.

Expected Behavior

TLS mounts should work consistently across all AWS regions, respecting the fips_mode_enabled configuration in /etc/amazon/efs/efs-utils.conf.

Root Cause Analysis

In src/proxy/src/tls.rs, efs-proxy contains a hardcoded FIPS policy:

const FIPS_COMPLIANT_POLICY_VERSION: &str = "20230317";

This policy is applied when tls_config.fips_enabled is true, regardless of the fips_mode_enabled setting in efs-utils.conf. The hardcoded US FIPS cryptographic requirements are incompatible with non-US regional compliance frameworks.

Environment

• efs-utils version: 2.3.3
• Regression seems to be introduced in: efs-utils v2.3.0 (April 17, 2025)
• Last working version: efs-utils v2.2.0 (November 13, 2024)
• Platform: Amazon Linux 2, Kubernetes (EFS CSI Driver)
• Affected regions: Non-US regions (tested in eu-west-1)
• Working regions: US regions (us-east-1, us-west-2)

[mondaljs]

@mugdha-adhav, we are taking a look

[mondaljs]

@mugdha-adhav

We are not able to reproduce the issue thus far.

We tested efs-utils v2.3.3 with fips_mode_enabled = true in the following configurations:

✅ Amazon Linux 2023 + eu-west-1 → Mount succeeded
✅ Amazon Linux 2 + eu-west-1 → Mount succeeded
Both tests confirmed efs-proxy was using the hardcoded FIPS policy "20230317" and TLS mounts completed successfully

To help us further investigate:

1. What version of csi-driver are you running?
2. Please post the output of the following command after attempting to mount:
   sudo tail -20 /var/log/amazon/efs/mount.log
3. The output of cat /var/run/efs/stunnel-config.*
4. The output of cat /etc/amazon/efs/efs-utils.conf | grep fips
5. The mount command you are using