The "new" boringcrypto module has been validated: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4735

• Envoy updates the library tls: update FIPS version to 2022-06-13 envoyproxy/envoy#35534.
• Envoy sets set_compliance_policy (or we find its not needed) #53395
• Go crypto/tls: Permit recently FIPS-approved protocols/algorithms golang/go#62372. Update merged in https://go-review.googlesource.com/c/go/+/603375 (NOT in go1.23, so presumably in go1.24
  • Go sets set_compliance_policy or equivilent https://go-review.googlesource.com/c/go/+/603376
• Rust boring wrapper (which we can optionally build for Ztunnel): Update boringssl-fips to fips-20220613 tag cloudflare/boring#214

When we update our code, do we make a new compliance policy? Or just change the existing one?