diff options
author | Filippo Valsorda <filippo@golang.org> | 2019-08-27 17:27:45 -0400 |
---|---|---|
committer | Filippo Valsorda <filippo@golang.org> | 2019-08-27 22:24:05 +0000 |
commit | ffcb678f47bfd30de182320b6d057ca4428e976d (patch) | |
tree | e2b372a8d718ba9d1211c3fdfa1286a938342027 /src/crypto/tls/key_agreement.go | |
parent | 52ae04fdfc66664b327a4cb4057e339f132de8f9 (diff) | |
download | go-ffcb678f47bfd30de182320b6d057ca4428e976d.tar.gz go-ffcb678f47bfd30de182320b6d057ca4428e976d.zip |
crypto/tls: remove SSLv3 support
SSLv3 has been irreparably broken since the POODLE attack 5 years ago
and RFC 7568 (f.k.a. draft-ietf-tls-sslv3-diediedie) prohibits its use
in no uncertain terms.
As announced in the Go 1.13 release notes, remove support for it
entirely in Go 1.14.
Updates #32716
Change-Id: Id653557961d8f75f484a01e6afd2e104a4ccceaf
Reviewed-on: https://go-review.googlesource.com/c/go/+/191976
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Diffstat (limited to 'src/crypto/tls/key_agreement.go')
-rw-r--r-- | src/crypto/tls/key_agreement.go | 13 |
1 files changed, 5 insertions, 8 deletions
diff --git a/src/crypto/tls/key_agreement.go b/src/crypto/tls/key_agreement.go index 2922017cc4..3b10cb4542 100644 --- a/src/crypto/tls/key_agreement.go +++ b/src/crypto/tls/key_agreement.go @@ -29,15 +29,12 @@ func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certifi if len(ckx.ciphertext) < 2 { return nil, errClientKeyExchange } - - ciphertext := ckx.ciphertext - if version != VersionSSL30 { - ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1]) - if ciphertextLen != len(ckx.ciphertext)-2 { - return nil, errClientKeyExchange - } - ciphertext = ckx.ciphertext[2:] + ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1]) + if ciphertextLen != len(ckx.ciphertext)-2 { + return nil, errClientKeyExchange } + ciphertext := ckx.ciphertext[2:] + priv, ok := cert.PrivateKey.(crypto.Decrypter) if !ok { return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter") |