diff options
author | Filippo Valsorda <filippo@golang.org> | 2019-08-26 16:18:24 -0400 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2019-08-27 20:56:38 +0000 |
commit | c11853c09b71ebdcc2b960bc30ee8e6e61b0c35b (patch) | |
tree | 09de4ddb3675300bc19bd092b1f731a5a4f3130f | |
parent | 44a66acc716f39325f78ff8bc9be4567326591c9 (diff) | |
download | go-c11853c09b71ebdcc2b960bc30ee8e6e61b0c35b.tar.gz go-c11853c09b71ebdcc2b960bc30ee8e6e61b0c35b.zip |
[release-branch.go1.13] crypto/tls: make SSLv3 again disabled by default
It was mistakenly re-enabled in CL 146217.
Updates #33837
Change-Id: I8c0e1787114c6232df5888e51e355906622295bc
Reviewed-on: https://go-review.googlesource.com/c/go/+/191877
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
(cherry picked from commit 2ebc3d8157fedba633ce90c5454827512734a793)
Reviewed-on: https://go-review.googlesource.com/c/go/+/191998
-rw-r--r-- | doc/go1.13.html | 13 | ||||
-rw-r--r-- | src/crypto/tls/common.go | 4 | ||||
-rw-r--r-- | src/crypto/tls/handshake_server_test.go | 14 |
3 files changed, 27 insertions, 4 deletions
diff --git a/doc/go1.13.html b/doc/go1.13.html index ef56a862a5..f13c0e58e7 100644 --- a/doc/go1.13.html +++ b/doc/go1.13.html @@ -593,10 +593,15 @@ godoc <dd> <p> Support for SSL version 3.0 (SSLv3) <a href="https://golang.org/issue/32716"> - is now deprecated and will be removed in Go 1.14</a>. Note that SSLv3 - <a href="https://tools.ietf.org/html/rfc7568">is cryptographically - broken</a>, is already disabled by default in <code>crypto/tls</code>, - and was never supported by Go clients. + is now deprecated and will be removed in Go 1.14</a>. Note that SSLv3 is the + <a href="https://tools.ietf.org/html/rfc7568">cryptographically broken</a> + protocol predating TLS. + </p> + + <p> + SSLv3 was always disabled by default, other than in Go 1.12, when it was + mistakenly enabled by default server-side. It is now again disabled by + default. (SSLv3 was never supported client-side.) </p> <p><!-- CL 177698 --> diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go index da1eae0800..ef0b385848 100644 --- a/src/crypto/tls/common.go +++ b/src/crypto/tls/common.go @@ -794,6 +794,10 @@ var supportedVersions = []uint16{ func (c *Config) supportedVersions(isClient bool) []uint16 { versions := make([]uint16, 0, len(supportedVersions)) for _, v := range supportedVersions { + // TLS 1.0 is the default minimum version. + if (c == nil || c.MinVersion == 0) && v < VersionTLS10 { + continue + } if c != nil && c.MinVersion != 0 && v < c.MinVersion { continue } diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go index 22b126fa22..a9c1c08cbc 100644 --- a/src/crypto/tls/handshake_server_test.go +++ b/src/crypto/tls/handshake_server_test.go @@ -77,6 +77,20 @@ func TestRejectBadProtocolVersion(t *testing.T) { }, "unsupported versions") } +func TestSSLv3OptIn(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = 0 + testClientHelloFailure(t, config, &clientHelloMsg{ + vers: VersionSSL30, + random: make([]byte, 32), + }, "unsupported versions") + testClientHelloFailure(t, config, &clientHelloMsg{ + vers: VersionTLS12, + supportedVersions: []uint16{VersionSSL30}, + random: make([]byte, 32), + }, "unsupported versions") +} + func TestNoSuiteOverlap(t *testing.T) { clientHello := &clientHelloMsg{ vers: VersionTLS10, |