From 4bc717a0e79e9c30afee66e75cef64c813d463d3 Mon Sep 17 00:00:00 2001
From: Geoffrey Lyu <glv@nvidia.com>
Date: Wed, 27 May 2026 05:32:38 +0300
Subject: [PATCH] [restapi] Disable TLS session tickets to fix FIPS AES-128-CTR
 panic

Go's TLS 1.3 server uses AES-128-CTR to encrypt NewSessionTicket
payloads, which the SymCrypt FIPS provider does not implement,
causing the golang-fips/openssl binding to panic on the first
HTTPS request. Disable session tickets to fall back to full
handshakes.

Signed-off-by: Geoffrey Lyu <glv@nvidia.com>
---
 go-server-server/main.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/go-server-server/main.go b/go-server-server/main.go
index 3e9d75c..955ca5d 100644
--- a/go-server-server/main.go
+++ b/go-server-server/main.go
@@ -50,6 +50,10 @@ func StartHttpsServer(handler http.Handler, messenger <-chan int, wgroup *sync.W
             // RequireAndVerifyClientCert
             ClientAuth: tls.RequireAndVerifyClientCert,
             MinVersion: tls.VersionTLS12,
+            // Disable TLS session tickets to avoid an AES-128-CTR
+            // panic in golang-fips/openssl/v2 with the SymCrypt
+            // FIPS provider (which does not implement AES-128-CTR).
+            SessionTicketsDisabled: true,
         }
         tlsConfig.BuildNameToCertificate()