diff options
author | Filippo Valsorda <filippo@golang.org> | 2019-02-05 15:27:56 -0500 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2019-02-07 18:34:43 +0000 |
commit | 7ccd3583eddcd79679fb29cfc83a6e6fb6973f1e (patch) | |
tree | 2e0003c76862f5f80907778c5e6265fdb7c5814f /src/crypto/tls/key_agreement.go | |
parent | 5d9bc60893d66073ca82eecee7c9800321535f52 (diff) | |
download | go-7ccd3583eddcd79679fb29cfc83a6e6fb6973f1e.tar.gz go-7ccd3583eddcd79679fb29cfc83a6e6fb6973f1e.zip |
crypto/tls: disable RSA-PSS in TLS 1.2
Most of the issues that led to the decision on #30055 were related to
incompatibility with or faulty support for RSA-PSS (#29831, #29779,
v1.5 signatures). RSA-PSS is required by TLS 1.3, but is also available
to be negotiated in TLS 1.2.
Altering TLS 1.2 behavior based on GODEBUG=tls13=1 feels surprising, so
just disable RSA-PSS entirely in TLS 1.2 until TLS 1.3 is on by default,
so breakage happens all at once.
Updates #30055
Change-Id: Iee90454a20ded8895e5302e8bcbcd32e4e3031c2
Reviewed-on: https://go-review.googlesource.com/c/160998
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Diffstat (limited to 'src/crypto/tls/key_agreement.go')
-rw-r--r-- | src/crypto/tls/key_agreement.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go index 628e578e48..05fe77b3e2 100644 --- a/src/crypto/tls/key_agreement.go +++ b/src/crypto/tls/key_agreement.go @@ -177,7 +177,7 @@ NextCandidate: return nil, errors.New("tls: certificate private key does not implement crypto.Signer") } - signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithms, ka.version) + signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(priv.Public(), clientHello.supportedSignatureAlgorithms, supportedSignatureAlgorithmsTLS12, ka.version) if err != nil { return nil, err } |